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DO THE PAYMENT CARD INDUSTRY DATA 
STANDARDS REDUCE CYBERCRIME? 


Tuesday, March 31, 2009 

U.S. House of Representatives, 

Committee on Homeland Security, 
Subcommittee on Emerging Threats, Cybersecurity, and 

Science and Technology, 

Washington, DC. 

The subcommittee met, pursuant to call, at 2:11 p.m., in Room 
311, Cannon House Office Building, Hon. Yvette D. Clarke [Chair- 
woman of the subcommittee], presiding. 

Present: Representatives Clarke, Richardson, Lujan, Thompson 
[ex officio], and Lungren. 

Ms. Clarke. The subcommittee will come to order. The sub- 
committee is meeting today to receive testimony on whether the 
payment card industry data standards reduce cybercrime. 

Good afternoon. In recent years, a number of well-known compa- 
nies have experienced massive data breaches in their internal com- 
puter networks, resulting in the compromise of sensitive customer 
data. The criminals who perpetrated these intrusions targeted the 
credit and debit card account information held by merchants or 
third-party data processors as the result of retail transactions. 

With a thriving black market that rapidly packages and sells sto- 
len cardholder data, the information compromised during these 
breaches may ultimately aid a number of criminal organizations. 
We know that some percentage of the fraudulent charges and illicit 
businesses from these activities is used to fund terrorist activity 
throughout the world. 

In his 2002 autobiography, the Bali nightclub bomber specifically 
referred to on-line credit card fraud and carding as a means to fund 
terrorist activities and encouraged his followers to use this method 
to obtain financing. 

More recently, a British case involving three jihadis, alleged that 
the men used stolen credit card numbers obtained through fishing 
scams and Trojan horses to make more than 3.5 million in fraudu- 
lent charges. The jihadis reportedly used the numbers at hundreds 
of on-line stores to purchase equipment and other items, including 
prepaid cell phones and airline tickets, in order to aid jihadi groups 
in the field. 

The subcommittee is holding this hearing today to voice our con- 
cern about the growing number of data breaches and to understand 
what is being done to curb this activity and to suggest that both 
merchants and the pay card industry have significant work ahead 
to meet our expectations. The payment card industry — Visa, 
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MasterCard, Discover, American Express, and JCB — requires every 
business that stores, processes, or transmits computer data to com- 
ply with specific data security standards. The intent of these stand- 
ards is to reduce the likelihood of successful data security breaches. 
On an annual basis, these merchants must certify that they are 
compliant with the payment card industry data security standards 
known as PCI standards. 

The PCI standards contain a number of security controls that 
businesses must implement. The PCI standards allow smaller busi- 
nesses to self-certify compliance, while larger merchants must be 
validated by a qualified security assessor. Enforcement comes 
through the card companies themselves who can levy fines and/or 
prohibit noncompliant merchants from using their services. 

To be clear, the PCI standards are not Government regulations 
and are not enforced by the Government. This committee supports 
industry-created and -managed security standards as long as they 
are strong and effective. 

In light of the rising number of publicly reported data breaches, 
Chairman Thompson launched an investigation to determine 
whether the PCI standards have been effective in reducing 
cybercrime. The results of this investigation suggest that the PCI 
standards are of questionable strength and effectiveness. 

The effort to become PCI-compliant is a daunting challenge for 
merchants whose core competency is the selling of merchandise 
rather than expertise in security. The cost for the largest mer- 
chants can be as high as $18 million a year. Many believe that if 
they complete this arduous task, they will be rewarded with a se- 
cure system. But the committee’s investigation confirms what 
many analysts have known for years. In the words of one credit 
card company, full compliance with the PCI standard does not 
guarantee that the merchant or vendor will not be the victim of a 
data breach. 

Take last year’s data breach of Hannaford Brothers Company, for 
example. Hackers installed malicious code on servers to every one 
of the grocery stores in the Hannaford chain. The malware inter- 
cepted the data stored on the magnetic stripe of payment cards as 
customers used them at the checkout counter. Hannaford received 
certification that they were PCI-compliant on February 28, 2008. 
But on February 27, 2008, according to the documents obtained by 
the committee, Hannaford was notified that a number of the credit 
card numbers from its network were stolen and being used on the 
black market. In other words, Hannaford was being certified as 
PCI-compliant while an illegal intrusion into its network was in 
progress. 

I do not believe that PCI standards are worthless. In the absence 
of other requirements they do serve some purpose, but I do want 
to dispel the myth, once and for all, that PCI compliance is enough 
to keep a company secure. It is not. The credit card companies ac- 
knowledge that. 

The bottom line is that if we care about keeping money out of 
the hands of terrorists and organized criminals, we have to do 
more, and we have to do it now. Specifically, we must improve our 
policies and our technology. 



3 


First, the standards have to be better because they are inad- 
equate to protect against the methods being used by modern hack- 
ers and attackers. Despite what the credit card companies say, for 
millions of small and large businesses out there, the PCI standards 
are the ceiling and not the floor. The bar must be raised. In this 
dynamic threat environment, attackers are constantly ahead of de- 
fenders, and yet the PCI standards are updated only by unanimous 
consent every 2 years. 

But part of the problem is that the standards do not require 
more frequent penetration testing. The only way to reduce breaches 
is by continuously testing and attacking a system through penetra- 
tion testing and timely mitigation. 

Second, the payment card industry and issuing banks need to 
commit to investing in infrastructure upgrades here in the United 
States. In a response to the committee’s investigation, one breached 
company noted that the effectiveness of data security standards is 
inherently limited by the technology base of U.S. credit and signa- 
ture debit card processing networks. Credit and signature debit 
transactions are not protected by encrypted PINs. Implementation 
of encrypted PINs for all debit and credit transactions could be use- 
ful. 

Countries in Europe and Asia are deploying new technologies 
like Chip and PIN to fight fraud that could lead to organized crime 
and terrorism and it is working. According to the U.K. Payments 
Association, 3 years after beginning the migration to chip-card 
technology, losses on transactions had reduced by 67 percent, from 
219 million pounds in 2004 to 73 million pounds in 2007. However, 
despite card fraud dropping 32 percent domestically between 2006 
and 2007, overall counterfeit card fraud affecting U.K. customers 
was up 46 percent. 

Why? The cards were being used by malicious actors in countries 
that had not yet implemented the technology. The United States is 
being blown away by security investments overseas and our 19508- 
era system is making us a weak link in the security chain. 

Magnetic stripe-based technology is outmoded and inherently 
less secure when compared to smart cards or other developing tech- 
nologies. While I am deeply concerned about our security, the pay- 
ment card industry and issuing banks should be ashamed about 
the current state of play and doing everything possible to imme- 
diately institute improvements in infrastructure. 

I know that our witnesses care about keeping financial informa- 
tion out of the hands of terrorists and other organized crime ele- 
ments and I know that the payment card industry cares. I know 
that the merchant community cares. But the time for waiting is 
over. The time for shifting risk is over. Today, the responsibility is 
yours to make this situation better. 

This is the first step in the committee’s review of the payment 
card industry’s efforts, a review that I believe the Chairman plans 
to continue. We look forward to hearing about your plans to im- 
prove America’s cybersecurity posture and working with you in all 
the weeks and months ahead. 

The Chairwoman now recognizes the Ranking Member of the 
subcommittee, the gentleman from California, Mr. Lungren, for an 
opening statement. 
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Mr. Lungren. Thank you very much, Madam Chairwoman. I 
want to compliment you for scheduling this important data security 
hearing. It is an issue that most people are aware of, but few seem 
to understand the full extent of this threat or the remedies re- 
quired to eliminate it as much as possible. 

The new Information Age created by computers, the internet, 
and instant communication offers many benefits to the Nation, par- 
ticularly our economy. Transacting business on the internet is one 
of the key benefits of the Information Age. 

Utilizing, obviously, credit cards today is the way people nor- 
mally transact business. It is the new currency of our age. A lot 
of people don’t even carry cash around anymore. In fact, sometimes 
you try to pay with cash and people look at you, trying figure out 
what scam you have going on. 

I was at one place where I actually had a 50-cent piece that I 
was trying to utilize and the woman would not recognize it as an 
American currency. I was trying to explain to her the image on the 
surface, and she just evidently missed that history lesson about 
that President. 

The internet has acted as a powerful economic engine for the 
U.S. economy. Unfortunately, these new business opportunities car- 
ried via the internet have also transformed the landscape for the 
criminal, making available a wider array of new methods that iden- 
tity thieves can use to access and exploit the personal and financial 
information of others. 

Today’s skilled computer hackers are capable of perpetrating 
large-scale data breaches that leave tens of millions of individuals 
at risk of identity theft. I recall my wife and I were at dinner one 
night, I gave the card to the waiter. After 5 minutes, the waiter 
came back kind of embarrassed and said, well, Mr. Lungren, this 
card doesn’t seem to be working. So I turned to my wife and said, 
Why don’t you give them the card? She gave them the card with 
the same account. They came back later and said it is not working. 
Luckily my wife had another card. 

If I had been in Chicago, changing planes, and needed to stay 
overnight there, I would have been up the creek without a paddle, 
as we say. I went home that night, called in to the credit card com- 
pany and they informed us there had been a credit card com- 
promise. Our account had been compromised. They would tell us 
nothing more than that. My wife went on-line to see what our ac- 
count was at that point in time. There was no such account. It was 
as if it had vanished. 

The point I am making is we were never notified by the credit 
card company. We have a number of automatic payments that are 
made against the card and we tried to track every one of them, and 
missed one of them and got a notice that we had not paid that 
month for something. 

So we are putting a tremendous obligation on the entire industry 
in this case. One is to try and secure things. The other one is when 
there is a breach, what is your requirement to notify people? Under 
what circumstances do you notify people? If you are not giving that 
information to those of us who are the consumer, is that informa- 
tion being given to law enforcement to follow up in all cir- 
cumstances? Those are just some of the questions. 
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The key to this internet economic engine running smoothly is 
data security. There is no doubt about it. If we are unable to secure 
our on-line financial transactions from financial criminals, even 
those not involved in terrorism, then our economic growth will be 
jeopardized, and actually we have fulfilled the terrorist dreams of 
pulling down our country through an economic attack. Customers 
will reject on-line purchases if they can’t be assured that their pay- 
ment card transactions are protected. Without consumer or cus- 
tomer confidence in the safety of the payment card transaction, 
internet commerce would dry up and we could have problems with 
people just using the card when they are actually at brick-and-mor- 
tar stores. 

We know it was a huge problem in the early days of the internet 
when it was an unknown frontier. Unchecked criminal activity will 
bring back those wild west days, undermine customer confidence, 
and cripple internet commerce. I applaud the payment card indus- 
try for investing their resources and personnel to develop and pro- 
mote a universal data security standard. As was mentioned, it is 
voluntary. We understand that. A lot of work has gone into it. We 
understand that there is always the challenge. It is easy for those 
of us in Government to say we can do a better job. Thank God we 
haven’t had any security breaches on the part — excuse me — I guess 
we have had a couple of them here and there. All that points out 
is it is a real challenge to stay ahead of the bad guys. 

I mean, you have got mischievous hackers, you have got indi- 
vidual criminal hackers, you have got criminal enterprise hackers, 
you have got transnational organization hackers, you have got na- 
tion-state hackers and, frankly, you have got to try to protect 
against all of that. 

The PCI Security Standards Council that includes all of the 
major card brands has at least understood that there is a need for 
a set of comprehensive requirements for enhancing payment ac- 
count security. One of the questions I would ask: Is there any place 
for the retailers to be involved in discussion of those standards and 
part of that? Another question I would ask is: I know you have 
some flexibility within the standards as they exist now. But is it 
still too much of one size fits all? In other words, I know you have 
a demarcation between mom-and-pop stores and the big retailer, 
but in between does it make sense? Are the standards flexible 
enough to be effective on the one hand and at the same time allow 
for different business models to operate in a reasonable fashion for 
them? 

So I realize that the first standard was developed in 2006 to im- 
prove the standard security in the payment card industry. It has 
improved the situation. More needs to be done. We are trying to 
identify those areas that need to be done. We have trying to make 
sure all the parties are brought to bear on the question. We are 
looking to see if Government regulation is needed. 

The last thing I would say is this. The challenge for us in Gov- 
ernment is to try to ensure that we don’t interfere with the inge- 
nuity of the private sector in being able to put the fixes into the 
security system that are necessary. If you can help us in that re- 
gard, not only will you benefit, we will benefit as well. Thank you 
very much, Madam Chairwoman. 
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Ms. Clarke. The Chairwoman now recognizes the Chairman of 
the full committee on Homeland Security, the gentleman from Mis- 
sissippi, Mr. Thompson, for an opening statement. 

Mr. Thompson. Good afternoon. Thank you, Madam Chair, for 
holding this very critical hearing on the effectiveness of the PCI 
standards. 

From our personal computers to Government networks to our 
critical infrastructure, the United States is under attack in cyber- 
space. This adversary ranges in skill from unsophisticated to highly 
capable, from loan hackers to organized crime and nation-states. 
Their intent ranges from nuisance and disruption to theft, espio- 
nage, and warfare. Their successes are varied. 

From every hacker that we have caught and prosecuted, thou- 
sands continue to work unabated. In December 2008, the Center 
for Strategic and International Studies concluded that the battle 
for cyberspace is one that we are not winning. 

Willy Sutton was rumored to have said he robbed banks because 
that is where the money is. In today’s world of payment card trans- 
actions, the money is now located on computer networks. On any 
given day, billions of dollars float back and forth between mer- 
chants and payment card networks which process credit card num- 
bers for transactions in an area that is ripe for hackers to exploit, 
and they are taking advantage of weaknesses in the system. 

We are here today to learn about the private sector’s efforts to 
combat data breaches and cybercrime and to assess the quality of 
the payment card industry data security standards. The standards 
have been around for several years, but massive on-going data 
breaches at some of America’s largest merchants suggest that the 
standards are inadequate to prevent breaches. 

The essential flaw with the PCI standards is that it allows com- 
panies to check boxes, but not necessarily be secure. Checking 
boxes makes it easier to assess compliance with the standard, but 
compliance does not equal security. We have to get beyond check- 
box security. It provides a false sense of security for everyone in- 
volved, and it is ineffective in reducing the real threats. Companies 
need to understand that even if 100 percent compliance with PCI 
standards is achieved, hackers will continue to develop techniques 
to exploit the computer systems of companies holding cardholder 
data. You are not safe unless you continually test your systems. 

Today we are calling for change. I call on the payment card in- 
dustry, and the thousands of merchants and vendors who have to 
comply with the standards, to rededicate themselves to the goal of 
securing their networks. For the payment card industry and the 
issuing banks, this is going to mean significant investment in the 
infrastructure upgrades. As the Chairwoman has pointed out, these 
investments are already on-going overseas. 

I am puzzled and disappointed that we are not seeing similar up- 
grades here domestically, and I hope our witnesses can explain 
why the card industry appears not to be moving quickly to address 
these issues. I am also deeply troubled by the testimony that sug- 
gests credit card companies are less interested in substantially im- 
proving their product and procedures than they are in reallocating 
their fraud costs. The payment card industry’s efforts to shift risk 
appears to have contributed to our current state of insecurity, and 
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I am concerned that as long as the card industry is writing the 
standards, we will never see a more secure system. 

We in Congress must seriously consider whether we can continue 
to rely on industry-created and -enforced standards, particularly if 
they are inadequate to address the on-going threats. 

I look forward to working with my colleagues on both sides of the 
aisle and across committee lines to further explore whether Gov- 
ernment action is necessary to protect against these threats. One 
thing is certain: The current system is not working. 

Madam Chairwoman, I thank you for your work in this area, and 
I look forward to the testimony of both panels. 

Ms. Clarke. Thank you very much, Mr. Chairman. Other Mem- 
bers of the subcommittee are reminded that under the committee 
rules, opening statements may be submitted for the record. 

We are going to take a break right now for votes. They have 
come up and we are scheduled for three votes, which puts us at 
about 25 minutes. Well, now it is less than 25 minutes, maybe 
about 15. So please excuse us as we go and recess for votes. 

[Recess.] 

Ms. Clarke. I welcome our only panelist on the Federal panel, 
Ms. Rita Glavin, Acting Assistant Attorney General, Criminal Divi- 
sion, Department of Justice. In June 2008, Ms. Glavin joined the 
Criminal Division as the Acting Principal Deputy Assistant Attor- 
ney General. Ms. Glavin began her service to the Department in 
1998 through the Department’s honors program as a trial attorney 
in the public integrity section where she worked until 2003. Since 
2003, Ms. Glavin has been an assistant U.S. attorney with the 
United States Attorneys Office for the Southern District of New 
York. 

Without objection, this witness’ full statement will be inserted 
into the record. I now ask you to introduce yourself and summarize 
your testimony for 5 minutes. 

STATEMENT OF RITA M. GLAVIN, ACTING ASSISTANT ATTOR- 
NEY GENERAL, CRIMINAL DIVISION, DEPARTMENT OF JUS- 
TICE 

Ms. Glavin. Good afternoon, Chairwoman Clarke, and thank you 
for the invitation to address the subcommittee. As you know, iden- 
tity theft is not a new problem. However, in recent years, identity 
thieves have begun to capitalize on a variety of new methods to ac- 
cess and exploit the personal information of others. Skilled hackers 
are now capable of perpetrating large-scale data breaches that 
leave hundreds of thousands of individuals and, in some cases, mil- 
lions of individuals at risk of identity theft. 

The Department of Justice, along with our law enforcement part- 
ners, has been aggressively investigating and prosecuting these 
data breaches and other criminal activity associated with them. We 
are committed to continuing our efforts. We have historically had 
tremendous success in identifying, investigating, and prosecuting 
the perpetrators of these acts. But as always, we can and we will 
do more. 

To that end, the continued and improving coordination with our 
partners in the international community and in the private sector 
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will be critical to ensuring our success. We are glad to have this 
opportunity to discuss these issues with your subcommittee. 

The Department has responsibility for the investigation and 
prosecution of a wide range of cybercrime cases. But large-scale 
breaches are of significant concern to us because their effects can 
be amplified exponentially when criminals use the internet to 
quickly and widely distribute vast quantities of information stolen 
during these breaches. 

The threat we face is wide and it is varied, ranging from very 
sophisticated individual hackers to international criminal organiza- 
tions. The resulting losses, as you know, can be devastating and 
the criminals perpetrating these acts may be motivated by any 
number of factors, including personal financial gain and the desire 
to use this illegal activity to fund and facilitate other dangerous 
crimes. 

The Department’s benchmark prosecutions of large-scale data 
breaches and the criminal activity that results from such breaches 
highlight the range of our efforts that we have been using to ad- 
dress the growing problem. I want to give you a couple of examples. 
Most recently, the FBI announced the results of a 2-year under- 
cover operation that targeted members of the on-line carding forum 
known as Dark Market. At its peak, the Dark Market Web site had 
over 2,500 registered members around the world. This operation 
has resulted in 60 arrests worldwide and it has prevented what we 
estimate to be approximately $70 million in economic loss. 

In another example, in August 2008, the Department announced 
the largest hacking and identity theft case ever prosecuted, in 
which charges were brought against 11 members of an inter- 
national hacking ring. Now, these various defendants who were 
from the United States, Estonia, the Ukraine, Peoples Republic of 
China, Belarus, were charged with, among other things, the theft 
and sale of more than 40 million credit and debit card numbers ob- 
tained from various retailers. 

Another example, in 2004 the U.S. Secret Service and several 
components of the Justice Department coordinated the search and 
arrest of more than 28 members of the Shadow Crew, a criminal 
organization located in eight States in the United States and six 
foreign countries. Members of the group were later charged in a 62- 
count indictment with trafficking in at least 1.5 million stolen cred- 
it and bank card numbers that resulted in losses in excess of $4 
million. The Shadow Crew Web site was disabled, which we believe 
prevented hundreds of millions of dollars in additional losses to the 
credit card industry. This was known as Operation Firewall, and 
this early effort paved the way for our more recent successes in 
this area. 

Now, while investigation and prosecution are important, preven- 
tion and detection are key elements in the fight against this crimi- 
nal activity. Keeping credit, debit, and other financial account in- 
formation out of the hands of criminals in the first place is an es- 
sential step in reducing the frequency and minimizing the impact 
of large-scale data compromises. We suggest that all entities that 
store, process, or transmit credit, debit, and other financial account 
information should take steps, including complying with the pay- 
ment card industry data security standards, to improve the secu- 
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rity of their computer systems and to decrease the vulnerability of 
the information they handle. 

Of course, even 100 percent compliance with the PCI DSS, if that 
were achieved, it is likely that hackers will continue to develop 
techniques to exploit the computer system of companies holding 
cardholder data. For instance, in those instances where the hackers 
have succeeded, efforts by the Department and efforts by investiga- 
tive agencies to look into and prosecute and punish those hackers 
and carders have been critical to deterring future criminals. 

For us to have continued success on this front, it is imperative 
that, No. 1, victim companies embrace new measures to swiftly de- 
tect data breaches and system compromises. No. 2, that the victim 
companies immediately and consistently report detected data 
breaches to law enforcement. Finally, that the United States builds 
on its existing relationships with our international partners to 
strengthen law enforcement cooperation channels internationally. 
Thank you. 

Ms. Chairwoman, I am prepared to answer your questions. 

Ms. Clarke. I thank you for your testimony. 

[The statement of Ms. Glavin follows:] 

Prepared Statement of Rita M. Glavin 
March 31, 2009 

Good morning, Chairwoman Clarke and Ranking Member Lungren. Thank you for 
your invitation to address the committee. The Department of Justice welcomes this 
opportunity to testify about our commitment to combating large-scale data breaches 
and the payment card fraud that results from such breaches. 

As you know, identity theft is not a new problem. However, in recent years, the 
information age has transformed the landscape in which criminals operate, making 
available a wide array of new methods that identity thieves can use to access and 
exploit the personal information of others. Criminals have capitalized on these new 
and far-ranging opportunities. Skilled hackers are now capable of perpetrating 
large-scale data breaches that leave hundreds of thousands — and in many cases, 
tens of millions — of individuals at risk of identity theft. Today’s criminals now have 
the opportunity to remotely access the computer systems of Government agencies, 
universities, merchants, financial institutions, credit card companies, and data proc- 
essors, to steal large volumes of personal information, including individuals’ finan- 
cial information, made available simply by virtue of everyday acts like making cred- 
it and debit card retail transactions. Reflecting this trend, there are currently over 
2,000 active cases related to identity theft pending in the U.S. Attorney’s Offices 
(USAOs), and there has been a 138.2% increase in identity theft convictions by 
USAOs between fiscal year 2004 and fiscal year 2008. The Department of Justice, 
through its Criminal Division, the Federal Bureau of Investigation (FBI), the 
USAOs, and other components, along with our partners at the U.S. Secret Service 
(USSS) and the U.S. Postal Inspection Service, has been aggressively investigating 
and prosecuting these data breaches and other criminal activity associated with 
them, and we are committed to continuing our efforts. Historically, the Department 
has had tremendous success in identifying, investigating, and prosecuting the per- 
petrators of these acts. But as always, we can and will do more. To that end, the 
continued and improved coordination with our partners in the international commu- 
nity and the private sector will be critical to ensuring our success, and we are glad 
to have this opportunity to discuss these issues in particular with you. 

the “carder” threat 

The Department has responsibility for the investigation and prosecution of a wide 
range of cyber crime cases, but large-scale breaches are of significant concern to us 
because their fallout can be amplified exponentially when criminals harness the 
power of the internet to quickly and widely distribute for future fraudulent use the 
vast quantities of information stolen during these breaches. For example, inter- 
national organized crime is currently one of the fastest-growing threats in the com- 
puter intrusion arena, and these groups — who are continuing to expand and become 
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more sophisticated — along with hosts of other cyber criminals, have made large- 
scale data breaches one powerful part of their profile. 

Through activity known as “carding,” large volumes of data are stolen, resold, and 
ultimately used by criminals to commit fraud. In recent years, the problem of “card- 
ing” has grown. “Carding” means not only the unauthorized use of credit and debit 
card account information to fraudulently purchase goods and services, but also a 
growing assortment of related activities including computer hacking, phishing, cash- 
ing out stolen account numbers, re-shipping schemes, and internet auction fraud. I 
will describe some of these schemes in more detail in a moment. 

The internet provides a unique venue in which “carders” can advertise and sell 
stolen data to the highest bidder and self-organize to facilitate their activities. For 
example, carders often become members of Web site forums designed to provide an 
active marketplace for the sale of, among other contraband, stolen credit and debit 
card numbers; compromised personally-identifiable information, including an indi- 
vidual’s address, phone number, social security number, personal identification 
numbers (PINs), credit history report, and mother’s maiden name; and false identi- 
fication documents. 

Once stolen identity information is sold, the purchasers frequently engage in 
fraudulent activity including, among other things, the use of stolen credit card infor- 
mation to make purchases on-line and in person, and “cashing,” which refers to the 
act of obtaining money — rather than retail goods and services — with the unauthor- 
ized use of stolen financial information. In recent years, criminal carding organiza- 
tions engaged in what is known as “PIN cashing” have developed sophisticated 
“cash-out networks” in which stolen financial information is immediately dissemi- 
nated to designated groups of criminals who withdraw money from ATMs all over 
the world within a short time period. In one example, PIN cashers made 9,000 with- 
drawals worldwide totaling $5 million in less than 48 hours from four compromised 
prepaid debit card accounts. 

THE LINK BETWEEN CARDING AND OTHER CRIMES 

In addition to the financial fraud perpetrated by carders, the Department focuses 
on criminals who engage in carding activities with a motivation other than personal 
financial gain. We know, for example, that drug traffickers engage in identity theft 
for the purpose of financing their activities. 

Similarly, there is a well-documented connection between identity theft — in par- 
ticular as it relates to obtaining fraudulent identification documents, but also as it 
may relate to credit card fraud — and terrorism. As one example, a convicted ter- 
rorist in Indonesia, Imam Samudra, wrote about the use of credit card fraud and 
carding as a means to fund terrorist activities in his 280-page autobiography. 
Samudra sought to fund the 2002 Bali nightclub bombings, of which he was con- 
victed, in part through on-line credit card fraud. 

Also illustrative of the connection between terrorism and credit card fraud, three 
British men were convicted in 2007 of inciting terrorist murder via the internet 
under the United Kingdom’s Terrorism Act of 2000. Younes Tsouli, Waseem 
Mughal, and Tariq Al-Daour were participants in a network of extremist Web sites 
and communication forums through which al Qaeda statements were issued and 
which disseminated videos of beheadings, suicide bombings in Iraq, and other jihadi 
propaganda. The three men also pleaded guilty to conspiracy to defraud banks and 
credit card companies. Tsouli was sentenced to 16 years in prison, Mughal was sen- 
tenced to 12 years in prison, and Al Daour was sentenced to 10 years in prison. Al- 
Daour and his associates used stolen credit card numbers obtained through phishing 
scams to make more than $3.5 million in fraudulent charges in order to purchase 
equipment, prepaid cell phones, airline tickets, and other items, to support jihadi 
groups in the field. Tsouli and Mughal also used stolen credit card numbers to set 
up and host jihadi Web sites. Significantly, the investigation revealed that these in- 
dividuals were members of carding organizations. 

THE DEPARTMENT’S INVESTIGATIONS AND PROSECUTIONS 

The Department of Justice plays a critical role in combating payment card 
breaches and the fraud and other criminal activity that results. United States Attor- 
ney’s offices throughout the country actively prosecute these cases. Within the 
Criminal Division, the Computer Crime and Intellectual Property Section (CCIPS) 
also investigates and prosecutes large-scale data breaches and coordinates prosecu- 
tions that involve multiple USAOs and foreign countries. In addition, the Fraud Sec- 
tion of the Criminal Division recently established the Payments Fraud Working 
Group (PFWG), which it co-chairs with the Board of Governors of the Federal Re- 
serve System. The PFWG is an inter-agency cooperative effort between law enforce- 
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ment and the bank regulatory agencies designed to examine issues related to var- 
ious payments systems and establish initiatives to protect payments systems 
against fraud and other misuse. The Department also helped to lead the Identity 
Theft Task Force, which also addressed many of these issues. Finally, the Office of 
International Affairs in the Criminal Division supports international cooperation ef- 
forts by implementing mutual legal assistance treaties (MLATs) and international 
conventions that have yielded significant evidence for use in U.S. and foreign pros- 
ecutions and by marshaling efforts to extradite international fugitives. 

The combined force of all of these efforts, along with the efforts of the FBI and 
the Department’s other law enforcement partners, has resulted in a number of 
benchmark prosecutions that highlight the range of the Department’s efforts to ad- 
dress the growing problem of large-scale data breaches and associated criminal ac- 
tivity. 

Recent Successes 

The Department, in coordination with its various USAOs, has worked with inves- 
tigative agencies including the USSS, the FBI, and the United States Postal Inspec- 
tion Service to combat carding and associated crimes, with great success: 

• Dark Market carding forum. — Most recently, on October 16, 2008, the FBI an- 
nounced the results of a 2-year undercover operation, conducted in conjunction 
with CCIPS, targeting members of the on-line carding forum known as Dark 
Market. At its peak, the Dark Market Web site had over 2,500 registered mem- 
bers around the world. This operation has resulted in 60 arrests worldwide and 
prevented an estimated $70 million in economic loss. 

• International hacking ring. — In August 2008, the Department announced the 
largest hacking and identity theft case ever prosecuted, in which charges were 
brought by the USAOs in the District of Massachusetts, the Southern District 
of California, and the Eastern District of New York against 11 members of an 
international hacking ring, including Maksik, discussed later. The various de- 
fendants — who were from the United States, Estonia, Ukraine, the People’s Re- 
public of China, and Belarus — were charged with, among other things, the theft 
and sale of more than 40 million credit and debit card numbers obtained from 
various retailers including TJX Companies, BJ’s Wholesale Club, OfficeMax, 
Boston Market, Barnes & Noble, Sports Authority, Forever 21, Dave & Buster’s, 
and DSW. 

• Operation CardKeeper. — Operation CardKeeper, led by the FBI and the USAO 
for the Eastern District of Virginia, resulted in the arrests of 13 individuals in 
Poland and eight in the United States. International cooperation was required 
to execute search warrants in the United States and in Romania. Significantly, 
Operation CardKeeper resulted in the U.S. conviction of an individual known 
on-line as “John Dillinger.” This defendant was sentenced in 2007 to 94 months 
in Federal prison for his carding activity, including aggravated identity theft, 
access device fraud, and conspiracy to commit bank fraud. Computers seized 
from him revealed more than 4,300 compromised account numbers and full 
identity information for over 1,600 individual victims. 

• “Iceman”. — In late 2007, a major supplier of tens of thousands of credit card ac- 
counts to carding forums was indicted for wire fraud and identity fraud; he is 
currently awaiting trial. Max Ray Butler, known on-line as “Iceman,” was the 
co-founder and administrator of the carding forum Cardersmarket. This case is 
being prosecuted by the United States Attorney’s Office for the Western District 
of Pennsylvania. 

• “Maksik” and “Lord Kaisersose”. — Maksym Yastremskiy, known on-line as 
“Maksik,” believed to be one of the top traffickers in stolen account information, 
was arrested for his carding activity in Turkey in 2007. He was also indicted 
in several U.S. districts as the result of the Department’s prosecution of the 
international hacking ring I discussed earlier. Maksik allegedly sold hundreds 
of thousands of credit and debit card numbers. One of his customers, an infa- 
mous carder known on-line as “Lord Kaisersose,” was previously searched and 
arrested in France as the result of a joint investigation conducted by the USSS 
and the French National Police. He is currently awaiting sentencing. 

“Operation Firewall” 

Much of this successful investigative work has its roots in some of the Depart- 
ment’s early efforts to dismantle highly-organized carding enterprises. As just one 
example, in 2004, as part of an undercover investigation known as Operation Fire- 
wall, the U.S. Secret Service (USSS) and several components of the Department of 
Justice coordinated the search and arrest of more than 28 members of the 
“Shadowcrew” criminal organization, located in eight States in the United States 
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and six foreign countries. Members of the group were later charged in a 62-count 
indictment with trafficking in at least 1.5 million stolen credit and bank card num- 
bers that resulted in losses in excess of $4 million. As part of this takedown, the 
USSS disabled the Shadowcrew Web site. We believe that had the organization not 
been interrupted, the credit card industry could have faced hundreds of millions of 
dollars in additional losses. Instead, the Shadowcrew criminal organization’s activity 
stopped, and to date, with the exception of two fugitives, all of the domestic 
Shadowcrew defendants have pleaded guilty and received sentences of up to 90 
months in prison. This prosecution was the first of its kind — by prosecuting top-tier 
members of the organization for conspiracy, it held individuals responsible for the 
criminal offenses facilitated through the carding forum by virtue of their leadership 
role in a criminal organization that operated solely on-line. Operation Firewall en- 
abled many of our more recent successes. In addition, the investigation into the 
Shadowcrew organization also revealed that the defendants were conspiring inter- 
nationally to commit specific carding-related crimes, including bank fraud, and en- 
abled us to successfully prosecute individuals for that conduct separately. 

Operation Firewall, like many of the examples I have mentioned today, also illus- 
trates how we can effectively respond to the increasingly global nature of carding 
organizations. With the cooperation of law enforcement agencies in the United King- 
dom, Canada, Bulgaria, Belarus, Poland, Sweden, the Netherlands, and Ukraine, 
foreign searches and arrests went smoothly, and foreign individuals were success- 
fully indicted in the United States. In addition, the United Kingdom pursued a sepa- 
rate domestic prosecution of Shadowcrew members, which has led to a number of 
guilty pleas. 


PREVENTION, DETECTION, AND RESPONSE 

Keeping credit, debit, and other financial account information out of the hands of 
criminals in the first place is an essential first step in reducing the frequency, and 
minimizing the impact, of large-scale data compromises. Merchants and processors 
who hold individuals’ sensitive financial information are prime targets for hackers 
and carders. To address this vulnerability, the credit card associations developed a 
set of security standards, known as the Payment Card Industry Data Security 
Standards (PCI DSS), for merchants and third-party processors. We suggest that all 
entities that store, process, or transmit credit, debit, and other financial account in- 
formation should ensure that they comply with all requirements of the PCI DSS in 
order to improve the security of their computer systems. 

As is well understood throughout the security community, however, perfect secu- 
rity is impossible. Therefore, even if 100% compliance with PCI DSS were achieved, 
it is likely that hackers will continue to develop techniques to exploit the computer 
systems of companies holding cardholder data. For instances in which those hackers 
succeed, efforts by the Department and investigative agencies to investigate, pros- 
ecute, and punish hackers and carders are critical to deterring future carders, learn- 
ing more about the nature of these crimes, and punishing offenders. For continued 
success on these fronts, it is imperative that: (1) Victim companies embrace meas- 
ures to swiftly detect data breaches and system compromises; (2) victim companies 
report data breaches to law enforcement; and (3) the United States builds upon its 
existing relationships with international partners to strengthen law enforcement co- 
operation channels internationally. 

Early Detection 

Early detection plays two important roles in efforts to combat carding activity. 
First, it can assist in mitigation of potential damage. When victim companies are 
notified by law enforcement, credit card companies, or other entities about a poten- 
tial compromise to their system, they should take all reasonable measures to deter- 
mine whether a compromise did indeed occur. Successful detection empowers victim 
companies to take steps to address the vulnerability, fortify their systems, and no- 
tify individual victims as necessary. But to date, it has been our experience that fol- 
lowing notification, victim companies can not and do not always do enough to deter- 
mine the scope and severity of data breaches of their computer networks. 

Moreover, law enforcement faces continued investigative challenges as a result of 
delayed detection and response. Often, victim companies detect compromises to their 
system weeks, months, or years after they occur, and as a result, meaningful inves- 
tigative leads may have disappeared by the time the compromise is reported to law 
enforcement, if it is reported at all. Private entities must have the capabilities to 
identify compromises more quickly. To accomplish this, we recommend that all enti- 
ties that store, process, or transmit credit, debit, and other financial account infor- 
mation implement security mechanisms designed to detect system breaches, such as 
tracking and monitoring all access to network resources and cardholder data. 
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Breach Reporting 

Immediate reporting of incidents to law enforcement is also vital to law enforce- 
ment’s ability to investigate large-scale data breaches. Immediate reporting nec- 
essarily relies upon each potential victim company’s capacity to promptly detect an 
incident, but we know from experience that prompt detection will not itself result 
in a report from the victim company. For a variety of reasons, data breaches are 
significantly underreported, and as a result, law enforcement efforts to bring crimi- 
nals to justice are significantly hampered. If law enforcement never learns of the 
incident, we will not investigate it; if we hear about it too late, we may be unable 
to preserve critical evidence or identify the perpetrators. On the other hand, several 
recent successes in tracking down the perpetrators of high-profile data breaches are 
the direct result of immediate information from victim companies on how the hack- 
ers entered and exited their systems, including the specific IP addresses used in the 
attack. For example, in the Dave & Busters case, which was a part of the inter- 
national hacking ring prosecuted in 2008, when Dave & Busters became aware of 
intrusions, they took measures to log access to their computers, block the intruder’s 
further attempts to collect credit and debit card data, and identify for law enforce- 
ment the intruder’s IP address. 

While companies like VISA require by policy that all entities that suspect or have 
confirmed that a security breach occurred must contact Federal law enforcement, 
few laws require the victim company to notify law enforcement. In its April 2007 
Strategic Plan, the Identity Theft Task Force recommended the establishment of a 
national standard requiring entities that maintain sensitive data to provide timely 
notice to law enforcement in the event of a breach. Because only a handful of State 
laws currently require reporting to law enforcement and because private sector rules 
are neither universal nor consistently enforced across the various companies, we 
urge Congress to consider requiring security breach reports to Federal law enforce- 
ment using a mechanism that ensures that the USSS and FBI have access to the 
reports. 

International Law Enforcement Cooperation 

As illustrated by the array of cases I have mentioned, carders operating in card- 
ing forums on the internet reside in different countries, collaborate freely across bor- 
ders, and can immediately and widely distribute stolen identity information around 
the globe. In addition, on-line carding forums provide networking opportunities for 
criminals interested in joining together to perpetrate other financial fraud or crimi- 
nal activity on a global scale. As a result, coordination and cooperation from foreign 
law enforcement is vital to the success of carding investigations and prosecutions. 
In this regard, the Identity Theft Task Force’s Strategic Plan also recommended 
that the Department of Justice and other departments and agencies take specific 
steps to improve coordination and evidence sharing with foreign law enforcement 
agencies. 

We believe that on this front, the United States should continue to press other 
nations to accede to the Convention on Cybercrime (2001), which will improve co- 
operation between law enforcement agencies. The Convention, which the United 
States ratified in 2006, assures that other countries enact suitable domestic legisla- 
tion criminalizing identity theft, in part to facilitate information-sharing under 
MLATs and the extradition of criminal defendants. In addition, the United States 
should continue to work closely with multilateral organizations to urge other coun- 
tries to review their criminal codes and criminalize identity-related criminal activi- 
ties where appropriate. This has historically proven effective. Last month, for exam- 
ple, the G-8 Roma/Lyon Group approved for further dissemination a paper that ex- 
amines the criminal misuse of identification information and identification docu- 
ments within the G-8 States and proposes “essential elements” of criminal legisla- 
tion to address identity-related crime. The Identity Theft Task Force’s Strategic 
Plan also directs the U.S. Government to identify countries that are safe havens for 
identity thieves and to use appropriate diplomatic and enforcement mechanisms to 
encourage those countries to change their practices. The Department of Justice has 
begun this process, gathering information from a range of law enforcement authori- 
ties. Finally, only by assisting foreign authorities can we expect them to reciprocate 
with critical evidence for our own investigations. The United States can improve 
international cooperation, in certain cases, by ensuring that our legislation provides 
U.S. authorities with the tools to assist foreign investigations effectively. 

CONCLUSION 

As I have attempted to outline for the subcommittee, the Department has been 
at the forefront of groundbreaking and historic efforts to identify, prosecute, and 
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punish the perpetrators of large-scale data breaches and the associated identity 
theft and fraud following from those breaches. In light of the growing sophistication 
and global scope of the threat, we are committed to continuing and improving our 
efforts to address this conduct. Thank you for the opportunity to provide the sub- 
committee with a brief overview of the Department’s role in combating these crimes 
and the primary issues we must focus on as we press ahead. 

Madam Chairwoman, this concludes my remarks. I would be pleased to answer 
any questions that you or other Members of the subcommittee may have. 

Ms. Clarke. I will remind each Member that he or she will have 
5 minutes to question the panel. I will now recognize myself for 
questions. 

Are we seeing more massive data breaches today, or is the media 
simply reporting more? 

Ms. Glavin. I think you have a little bit of both. The media is 
reporting on it, but what we have seen over the last several years 
and in some of the operations specifically I have referred to in our 
testimony, including the Shadow Crew organization, is hundreds of 
thousands, if not millions, of personal financial information and 
identity thefts occurring. 

The Operation Firewall, which was both the Shadow Crew orga- 
nization and the Carder Market Forum, should demonstrate that 
for a number of years this type of data breach has been happening 
and that there are hackers all over the world that are looking to 
get into systems and slowly take the information out. It can be over 
a course of months, if not over a course of years. 

So, yes, the data breaches are occurring and we know that be- 
cause of undercover operations we have done and because of the 
publicly reported takedowns that we have done that I mentioned 
in my testimony. Yes, the media is reporting on those breaches. 

Ms. Clarke. Ms. Glavin, to what extent does the fact that a com- 
pany is PCI-compliant help to mitigate criminal activity? How ef- 
fective are PCI standards in lowering the risk of being breached? 

Ms. Glavin. Having any security system and uniform standards 
are going to help, all right? It is a floor, and it is a way to begin 
the process of preventing breaches. That said, what we look at in 
terms of those PCI set standards is you have got to do continual 
monitoring and you have to do the testing, because you may have 
adopted those standards, but people may already be in your com- 
puter system by the time you have adopted those standards. It is 
the monitoring and the testing that is going to help companies see 
where they have been breached. We know that hackers are always 
coming up with new ways to get into your system. So it is going 
to be the monitoring and the testing. 

The second thing that the Department would suggest is that 
there should be notification through Federal law enforcement when 
breaches occur. I know is that something that has been under sub- 
ject of much discussion. But that would be an effective way of deal- 
ing with the data breaches on a number of levels, because we have 
a sense from our investigations and prosecutions around the coun- 
try as to the means that the hackers used to do this. If we get early 
reporting, it helps us get a sense of what is going on such that we 
can stop it. We can stamp out, you know, Web sites that are doing 
this and help get in front of the problem. 

Ms. Clarke. Ms. Glavin, how successful do you think that the 
Department of Justice’s efforts to combat credit card fraud will be 
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in the long run if neither improved standards nor technology and 
infrastructure changes are realized and there is no reduction in the 
amount of cardholder data being lost or stolen? 

Ms. Glavin. This is going to have to be an on-going partnership. 
Law enforcement has been there and we are always going to be 
there. It is not just within the prosecution of the Department of 
Justice. The FBI is always looking at this. The Secret Service is al- 
ways looking at this. We are working with our international part- 
ners around the world to have an international presence such that 
we are sharing information. We can’t do that alone, and having 
help from private industry when they know there have been 
breaches and reporting that to us, it is going to help everybody in 
the long run. 

So we can do what we do in terms of watching the technology, 
trying to stay on top of the hackers, continually looking out for 
these Web sites and carding forums. But we can’t do everything 
alone. To the extent we get help from the private sector to stay on 
top of that, that is important. I think that the industry that has 
adopted the PCI DDS, that is a laudable effort. The question is: 
Can they continue to evolve from there? 

Ms. Clarke. Just finally, can you please explain the roles of the 
Secret Service, FBI, and ICE in investigating cybercrime, and what 
are the distinctions between those investigative units? 

Ms. Glavin. Sure. The Secret Service has always been involved 
in looking at financial crimes and hackers. What the FBI brings to 
the table in addition to the Secret Service is that they have your 
counter-intelligence databases, which the Secret Service may not 
have. So they can be also checking, on a much more international 
level, what is going on around the world. They also have a presence 
through their legal attaches in other countries. So the Secret Serv- 
ice and the FBI both play critical roles and they both bring dif- 
ferent tools to the law enforcement effort. 

Ms. Clarke. Well, thank you very much. I now recognize one of 
our new Members on the committee, new Member to the Congress, 
the gentleman from New Mexico, Mr. Lujan, for his questions at 
this time. 

Mr. Lujan. Thank you very much, Madam Chairwoman. Ms. 
Glavin, thank you very much for being with us today. 

Ms. Glavin. Thank you. 

Mr. Lujan. In your testimony you highlight many instances 
where there are projects or programs, recent success, investigations 
that the Department of Justice has engaged in, Dark Market card- 
ing forum, international hacking ring, Operation Card Keeper, Ice- 
man, Operation Firewall. 

With that being said and with the level of concern that the De- 
partment of Justice has with the level of crime that is taking place, 
in this case cybercrime, what standards exist today for keeping this 
data secure? 

Ms. Glavin. In terms of private industry, the standards that are 
out there are the PCI DSS, plus whatever State laws there are. I 
mean, a number of States have consumer notification laws that re- 
quire financial entities to report data breaches. Some have law en- 
forcement notification laws. 
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In terms of Federal regulation, there is not a lot, other than you 
are speaking to someone from the Criminal Division, and I know 
we have the Title 18 criminal statutes that we use to prosecute. 
But in terms of standards across the industry Federally, such that 
people are required by law to comply with a certain set of stand- 
ards, that is not out there. 

Mr. Lujan. So it sounds like what States have done, they have 
a reporting mechanism that when there is a breach in security and 
data is compromised, that they are required to notify the consumer 
that may have been impacted. But with that being said, in your 
opinion, are these standards working the way they are being put 
together today? 

Ms. Glavin. Which industries? 

Mr. Lujan. The industry standards. 

Ms. Glavin. In terms of whether or not they are working, we 
know what reports we get when there has been data breaches and 
when industry chooses to tell us; or sometimes we learn about it 
from our own investigations and we choose to tell them. Whether 
or not they are working, I think the industry representatives are 
in the best position to tell you that. 

What I can say from the Department’s perspective is that if we 
are going to do criminal investigations, there is going to have to be 
some cooperation between us and private industry so we can do 
those investigations, get a sense of the data breaches and to have 
cooperation such that they let us know what is going on. 

We have a sense of how it happened, what is out there, and who 
may be responsible. As for whether or not they are working, I think 
they are a great bottom line to start with. But you have to be con- 
stantly watching, testing them, checking them to make sure they 
work, because the hackers are sophisticated people and they try to 
stay one step ahead of the industry. The industry tries to get one 
step ahead of them, and it is in everyone’s interest that you keep 
moving ahead. 

Mr. Lujan. Ms. Glavin, did I hear you correctly? Did you say 
that sometimes the Department of Justice will notify the compa- 
nies that there has been a breach, as opposed to the other way? 

Ms. Glavin. Yes. But sometimes that can happen — you know, if 
we get information that they may not have, that we may have ac- 
cess to through the course of our criminal investigations. It could 
be a company that may be PCI-compliant, but there was always 
something in the system before they got brought up to compliance. 

But, yes, there have been instances that I know of, investigations 
where we have learned about information and that we have in- 
formed the company about, that you may want to check X, Y, and 
Z. 

Mr. Lujan. Thank you very much, Ms. Glavin. 

Madam Chairwoman, I know we had a lot of briefings and dis- 
cussions with the committee as a whole and the various sub- 
committees on the importance and attention that is needed when 
it comes to data breaches, especially with the attacks that we know 
that are occurring on a regular basis, national security, as well as 
financial institutions. 

I think that in the same regard, when we are talking about what 
the expectations are of the American public with feeling secure 
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about the data that could exploit them and expose them to these 
types of crime, often times without them ever knowing, is some- 
thing that we have to take seriously. 

So I thank you very much, Madam Chairwoman and Chairman 
Thompson, for bringing this to the attention and allowing us to 
have a hearing on this today. 

Ms. Clarke. Thank you very much, my colleague. I just want to 
correct the record, at least vocally, that my colleague’s name is Mr. 
Lujan. 

Mr. Lujan. Thank you very much. 

Ms. Clarke. Very well. Some of your responses to my colleague’s 
questions were a bit troubling to me. The fact that it could take 
some time before there is communication around a vulnerability 
that is existing within the system, and in that amount of time 
transactions can take place that can lead to financial support for 
criminal endeavors is something we should always be concerned 
about. Time is of the essence, right? If you are not getting the level 
of transparency, for whatever reasons, from the private side — in 
other words, maybe someone is ashamed that they met these PCI 
standards and now they have found a vulnerability. As you said, 
it couldn’t have been one that existed there prior to them coming 
up to code. It is still important for that information to be shared, 
notwithstanding whatever reasons may inhibit someone from doing 
so. Because, again, these transactions take place so quickly. 

What would you say could expedite the transfers of information? 
What do you think would open up private enterprise to really 
working with law enforcement on a much more timely basis, once 
something is detected, to address it? Do you think that perhaps 
some introspection about the PCI standards would help put them 
on a higher platform for detection? 

Ms. Glavin. The PCI DSS standards — again, as I said before, I 
think one of the key components of those standards is going to be 
the regularly monitoring and testing. Sometimes these breaches 
aren’t readily apparent and are hard to detect. 

As I have had it described to me, the breaches can sometimes 
occur such that the best analogy could be that the front door of 
your house gets open and you don’t know it. Slowly over a period 
of time, someone may take, piece by piece, all of your house. It 
could happen over a course of months, and an entity may not be 
aware of it. 

So immediate notification could be hard in that type of instance. 
But regularly monitoring and testing, we hope, would be a way 
that they detect it sooner. 

In terms of the information sharing, we support an effort such 
that there be some type of notification to Federal law enforcement. 
How that is done and what particular entity that is reported to is 
something that we are happy to work with this committee on, such 
that it can happen faster and it gets to the law enforcement enti- 
ties that have been in the forefront of this, such as the FBI and 
the Secret Service. But it is immediate notification when you see 
the data breach. Yes, that is something that we would like. But 
sometimes it is not always easy that you are going to find that data 
breach right away. 
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Ms. Clarke. Ms. Glavin, I want to thank you for sharing with 
us your perspective on the PCI standards and the payment card in- 
dustry and its relationship to cybercrime. I want to thank you for 
sharing your expertise with us. We look forward to working with 
you further as we look for ways to strengthen this part of our con- 
cern with regards to the threats that exist, the vulnerabilities that 
may exist within the payment card industry. Thank you very 
much. 

Ms. Glavin. Chairwoman Clarke, thank you very much. We look 
forward to working with you. 

Ms. Clarke. Thank you. I would like to acknowledge the work, 
Ms. Glavin, of your senior counsel, Kim 

Ms. Glavin. Kim Paretti. 

Ms. Clarke [continuing]. Kim Paretti in this field, and I would 
like to thank her and her colleagues for their service. 

Ms. Glavin. They have done excellent work. 

Ms. Clarke. We appreciate it. 

The Members of the subcommittee may have additional questions 
for the witness and we will ask you all to respond in writing to 
those questions. 

At this time, the first panel is dismissed and the Chairwoman 
calls out the next panel. 

I welcome the second panel of witnesses. Our first witness is 
Robert Russo, Director of the Payment Card Industry Data Secu- 
rity Standards Council. Welcome. 

Our second witness is Joseph Majka, Head of Fraud Control and 
Investigation, Global Enterprise Risk for Visa. 

Our third witness is Michael Jones, Chief Information Officer for 
Michaels Stores. 

Our fourth witness is Dave Hogan, Senior Vice President and 
Chief Information Officer for the National Retail Federation. I 
thank you all for being here today. 

Without objection, the witnesses’ full statements of Andrew 
Cochran, an expert on terrorism financing, and Kirsten Trusko on 
behalf of the Network Branded Prepaid Card Association will be in- 
serted into the record. Hearing no objection, so ordered. 

[The information follows:] 

Statement for the Record Submitted by Andrew R. Cochran, Founder and 
Co-editor, The Counterterrorism Blog 

March 31, 2009 

Chairwoman Clarke, Ranking Member Lungren, and Members of the committee, 
I appreciate the opportunity to submit a written statement on the subject of terror- 
ists’ use of credit cards for this important hearing. I am the founder and co-editor 
of The Counterterrorism Blog, the first multi-expert internet-based center dedicated 
solely to reporting and analyzing terrorist attacks and counter-terrorism policies. 
Now in its fifth year of operation, The Counterterrorism Blog is a highly respected 
source of objective information and analysis in the counter-terrorism community. 
Our Contributing Experts work in non-governmental organizations and private busi- 
nesses worldwide, and include over 20 noted experts, including Evan Kohlmann, 
Douglas Farah, Dennis Lornel, Walid Phares, Animesh Roul, Farhana Ali, and Mat- 
thew Levitt. In addition to earning the plaudits of law enforcement, intelligence offi- 
cials, Members of Congress, and the news media, our credibility is evidenced by the 
fact that al Qaeda attacked us by name on Al-Ekhlaas, one of its central messaging 
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forums, last April. 1 You can find us on the internet at http:/ / 
counterterrorismblog.org / , and you can e-mail me. 

Our Contributing Experts have reported often on terrorists’ use of stolen credit 
card information, and they speak often about the subject. On February 29, 2008, I 
chaired a special panel, “Meta-Terror: Terrorism and the Virtual World,” with two 
Contributing Experts (Evan Kohlmann and Roderick Jones) and the senior vice 
president and chief technology officer of VeriSign. 2 During that event, our discussion 
included how a senior al Qaeda operative financed operations through the use of sto- 
len credit card information. Dennis Lormel, who founded and ran the Terrorist Fi- 
nancing Operations Section at the FBI and investigated the financing of the 
9/11 attacks, has several posts on terrorists’ use of credit cards. 3 Matthew Levitt 
and Contributing Expert Michael Jacobson cited the use of credit card fraud to fi- 
nance two deadly attacks in a New Republic article this year. 4 I invite the com- 
mittee to review the cited works in detail, and I will quote from and/or summarize 
their main points for the committee’s consideration as follows: 

1. Credit cards are extremely vulnerable to fraud and are used extensively by 
terrorists. The internet not only serves as a learning tool for terrorists but also 
functions as a mechanism to steal credit card information through hacking, 
phishing, and other means. In many instances, when terrorist operatives are 
apprehended, they have multiple identifications and credit cards in a variety of 
names in their possession. 

2. The terrorists who executed the devastating 2004 Madrid train bombings, 
which killed almost 200 people, and who carried out the deadly July 7, 2005, 
attacks on the transportation system in London were self-financed, in part 
through credit card fraud. 

3. Imam Samudra was a key operative of the al Qaeda-linked terrorist group 
Jamaah Islamiah in Indonesia, and was the mastermind behind the Bali night- 
club bombings in 2002 which killed over 200 people. While in prison in 2004, 
he wrote a jailhouse manifesto, with a chapter, entitled “Hacking, Why Not.” 
In it, he urged fellow Muslim radicals to take holy war into cyberspace by at- 
tacking U.S. computers. Samudra described America’s computer network as 
being vulnerable to hacking, credit card fraud, and money laundering. Samudra 
discussed the process of scanning for Web sites vulnerable to hacking and then 
discussed the basics of on-line credit card fraud and money laundering. Interest- 
ingly, in 2004, Indonesian police asserted that Indonesia had more on-line credit 
card fraud than any country in the world. 

4. Younes Tsouli, aka “Terrorist 007,” and his two associates, Waseem Mughal 
and Tariq al-Daour, used computer viruses and stolen credit card accounts to 
set up a network of communication forums and Web sites that hosted every- 
thing from tutorials on computer hacking and bomb making to videos of behead- 
ings and suicide bombing attacks in Iraq. They raised funds through credit card 
information theft and fraud, which were used to support the communications, 
propaganda, and recruitment for terrorists worldwide, as well as to purchase 
equipment for Jihadists in the field. One expert described their activities as “op- 
erating an on-line dating service for al Qaeda.” The three men pled guilty to 
inciting terrorist murder via the internet. 

Set forth below is a snapshot of the extent of credit card information theft and 
fraud they were responsible for: 

• Stolen credit card numbers and identities were used to buy Web hosting serv- 
ices. At least 72 stolen credit card accounts were used to register more than 180 
Web site domains at 95 different Web hosting companies in the United States 
and Europe. 

• On one computer seized from al-Daour’s apartment, some 37,000 stolen credit 
card numbers were found. Alongside each credit card record was other informa- 
tion on the identity theft victims, such as the account holder’s address, date of 
birth, credit balances, and limits. 

• More than $3.5 million in fraudulent charges were made using credit card ac- 
counts stolen via on-line phishing scams and the distribution of “Trojan horses.” 


ll ‘Al Qaeda Officially Hates The Counterterrorism Blog,” April 16, 2008, at http: II 
counterterrorismblog.org / 2008 1041 al qaeda officially hates the.php. 

2 Complete transcript at http : / lcounterterrorismblog.org 12008 / 03 / 

event transcript and related l.php. 

^‘Terrorists and Credit Card Fraud ... a Quiet Epidemic,” February 29, 2009, at http :/ / 

counterterrorismblog.org / 2008 / 02 / terrorists and credit card fra.php, and “Credit Cards 

and Terrorists,” January 16, 2008, at http://counterterrorismblog.org/2008l01/ 

credit cards and terrorists. php. 

4 Summarized in "Drug Wars,” Michael Jacobson, January 27, 2009, at http:/ / 

counterterrorismblog.org /2009 / 01 / drug wars. php. 
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• The men purchased sophisticated equipment needed by jihadists in the field 
and other operational resources, including hundreds of prepaid cell phones, and 
more than 250 airline tickets using 110 different credit cards at 46 airlines and 
travel agencies. 

• They laundered money through on-line gambling sites, using accounts set up 
with stolen credit card numbers and victims’ identities. The trio conducted 350 
transactions at 43 different on-line wagering sites, using more than 130 com- 
promised credit card accounts. 

The terrorists apparently obtained some stolen data through contacts with Rus- 
sian-based criminal gangs, and they traded this information with criminal syn- 
dicates. In the 1990’s, al Qaeda would steal a handbag to get one credit card to raise 
funds. Now they will just buy this data on-line and get thousands of credit card de- 
tails. Once credit card information winds up in the hands of criminal syndicates, it 
can be easily transmitted to terrorists. 

5. The Liberation Tigers of Tamil Eelam (LTTE), a.k.a. the “Tamil Tigers,” use 
credit card fraud as an international means of financing terrorist activities. 
Four men, believed to be associated with the Tigers, were arrested this year in 
Toronto on charges of debit and credit card fraud for possessing numerous gift 
cards containing bank account and debit information from individuals in the 
United Kingdom. Further investigation found laptop computers and memory 
sticks containing bank information for thousands of U.K. bank customers. A 
massive credit and debit card fraud case in the United Kingdom, involving up 
to 200 British gasoline stations, is apparently another Tamil Tigers operation. 
The alleged subjects obtained credit and debit card information at gasoline 
pumps through the use of skimming machines, with the loss was estimated to 
be as much as $72,000,000. 

I look forward to reviewing the committee’s review into the effectiveness of the 
PCI standards to reduce data breaches, identity theft, and the potential funding of 
terrorism, and I stand ready to assist the committee in that mission. 


Statement for the Record Submitted by Kirsten Trusko, on Behalf of the 
Network Branded Prepaid Card Association 

March 31, 2009 

Chairwoman Clarke and Members of the subcommittee, I am Kirsten Trusko, 
President and Executive Director of the Network Branded Prepaid Card Association 
(“NBPCA” or Association”). We are a non-profit trade organization, which seeks to 
serve consumers, businesses, and Government through unique applications of net- 
work branded prepaid cards, and in doing so supports the growth and success of 
network branded prepaid cards. We represent the common interests of the many 
players in this new and rapidly growing payment category. The NBPCA’s members 
include banks and financial institutions, the major card networks, processors, pro- 
gram managers, marketing and incentive companies, card distributors and law 
firms. For additional information about our organization, may we suggest you visit 
our Web site, www.NBPCA.com. I am delighted to submit factual information that 
we hope will help to address your questions on a topic that is of utmost importance 
to our members: accurately understanding and mitigating the potential risks posed 
by network branded prepaid cards. 

This document is designed to outline the following topics, at a high level. Should 
you have follow-up questions, please let us know. 

1. What is a network branded prepaid card and how does it differ from other 
cards? 

2. Why is this card type growing and popular (including quotes from the Fed- 
eral Reserve and Office of the Comptroller)? 

3. What are the facts to correct misperceptions about network branded prepaid 
cards? 

4. How are NBPCA’s members working with legislators, regulators, and law en- 
forcement to mitigate the potential for misuse of the cards? 

I. WHAT ARE “NETWORK BRANDED PREPAID CARDS”? 

We hope to clarify some misconceptions by being clear about the facts. 

• First, there are many types of plastic, magnetic-striped cards that are all called 
“prepaid.” That is, before one uses the card to make a purchase, one must pre- 
pay the funds, which are held by a bank. The cardholder uses the cards to gain 
access to the funds. You cannot spend a $50 gift card, for example, until the 
$50 has been paid in advance. 
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• However, not all prepaid cards are “network branded.” Network branded cards 
(sometimes referred to as “open loop” or “open system” cards) are issued by reg- 
ulated financial institutions, carry the brand of a major card network (such as 
American Express, Discover, MasterCard or Visa) on the front of the card, and 
are generally 1 usable anywhere that brand is accepted. Some network branded 
prepaid cards are also usable at ATMs to obtain cash for limited daily amounts. 

• Although many network branded prepaid cards display the word “DEBIT” on 
the front of the card, they are not “debit cards” in the classic sense of the word. 
That is, network branded prepaid cards are not linked to an individual’s per- 
sonal checking, savings, or other bank account. Instead, the funds are held in 
pooled bank accounts with data that links each card to the cardholder’s funds. 
This distinction enables the under-banked population to use these cards to re- 
ceive child support, unemployment, and other funds that are essential to daily 
life, transaction that are very difficult to administer on a cash-only basis. 

• Network branded prepaid cards are also separate and distinct from “retailer gift 
cards” (sometimes referred to as “closed loop” cards). Retailer gift cards are not 
issued by a financial institution and can only be used at one location (or at one 
chain of affiliated locations). Retailer gift cards are issued by a restaurant, 
store, hotel, or other retail service provider solely for use to purchase goods or 
services at the issuing retailer’s establishment. 

• Attached to this testimony are pictures of some popular network branded pre- 
paid cards issued by our members.* 

II. WHY HAVE NETWORK BRANDED PREPAID CARDS BECOME SO POPULAR? 

Network branded prepaid cards are a relatively new and growing product, largely 
developed in response to market needs not being met by other card types. They en- 
able electronification of payments and the supporting data trail, to capture what 
was previously transacted with check or cash. They support specific applications by 
customer need (e.g. the under-banked consumer as mentioned earlier) and help to 
reduce costs and provide a better accounting/data trail for businesses and Govern- 
ment than when using cash or checks. 

The popularity of network branded prepaid cards is attributable to their unique 
ability to address cardholder needs in a variety of situations including health care, 
disaster relief operations, payroll, Government benefit payments, and gifting. 

The benefits that network branded prepaid cards provide was noted in an article 
published by the Philadelphia Federal Reserve Bank’s Payment Card Center: 

“The benefits that open-system prepaid cards offer for consumers, providers, and 
issuing banks contribute to the increased adoption of these payment applications. 
Consumers use these cards to pay bills, make purchases, and access cash from ATM 
networks. Prepaid cards can also be used to secure car rentals and to make hotel 
and air travel reservations. At the same time, holders of prepaid cards need not se- 
cure a traditional banking relationship nor gain approval for a deposit account or 
revolving credit. Prepaid card providers may be nonbank third parties, such as em- 
ployers and payroll processing companies, that can use prepaid cards as a means 
to convert paper disbursements, such as payroll checks, benefit claims forms, travel 
checks, gift certificates, and government checks, to less costly electronic payments. 
Finally, bank card issuers have an opportunity to serve a broader set of consumers. 
By offering prepaid cards, issuing banks may meet the financial needs of consumers 
who may not otherwise qualify for more traditional banking products, and these 
banks may do so with a card-based electronic payment application that essentially 
eliminates credit risk for the bank. (Cheney and Rhine, Prepaid Cards: An Impor- 
tant Innovation in Financial Services, Philadelphia Federal Reserve Bank Payment 
Center (Originally published in conjunction with the American Council on Consumer 
Interests (ACCI) (July 2006)).” 

Additionally, the Office of the Comptroller of the Currency, in a July 2005 report, 
(http:llwww.occ.treas.gov/cddlpayrollcards.pdf) compared the cost of network 
branded prepaid payroll cards versus the alternatives available to the under- 
banked, noting the following benefits: 

Benefits to Employers 

• Reduced bank processing fees and check handling fees; 


1 We say “generally” because some network branded prepaid cards have specialized usage 
which creates some limitations. For example, “teen cards” are designed so that they cannot be 
used in liquor stores, and health cards may have restrictions to health-only merchants and/or 
purchases. 

* The information referred to has been retained in committee files. 
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• Reduced check printing costs; 

• Reduced likelihood of check fraud; 

• Reduced check reconciliation costs; 

• Increased employee productivity (e.g., not needing time off during work to cash 
or deposit paycheck); 

• Reduced lost/stolen check replacement costs. 

Benefits to Employees 

• Reduces or eliminates check cashing fees; 

• Offers ability to make purchases using credit card networks; 

• Offers 24-hour access to funds via ATMs; no need to wait in lines; 

• Reduces the need to carry a lot of cash; 

• Makes money transfers more easily available to families; 

• Provides a pseudo-bank account — funds do not need to be withdrawn entirely 
as with using a check casher; 

• Please refer to Table 5 in the OCC report as it documents their comparison of 
consumer costs across Payroll card, Check Casher, and Basic Bank account, re- 
flecting Payroll card as the option least costly to the consumer. 

III. misunderstandings/myths about network branded prepaid cards. 

Despite the many benefits of network branded prepaid cards, aspects of these 
products are misunderstood. This may be because organizations not typically associ- 
ated with financial products are sometimes involved in the creation and distribution 
of network branded prepaid cards. For example, some network branded prepaid 
cards are available through non-traditional distribution channels such as super- 
markets and drug stores. Misconceptions about network branded prepaid cards, 
which have gained currency through repetition, have the potential to affect the in- 
dustry negatively — particularly with respect to issues relating to money laundering 
risks. My testimony today addresses several major misconceptions by providing fac- 
tual information that supports a fair and accurate assessment of money laundering 
risks associated with network branded prepaid cards. Here are some misunder- 
standings about network branded prepaid cards: 

Myth No. 1: Prepaid cards are unregulated or loosely regulated . — Every network 
branded prepaid card (i.e., those carrying the logo of American Express, Discover, 
MasterCard, or Visa) is issued by a highly regulated financial institution or other 
regulated organization. As such, network branded prepaid cards are subject to 
exam, review, and oversight. For example, the FFIEC BSA/AML Bank Examination 
Manual (July 2006) sets forth specific requirements for examining banks regarding 
their “electronic cash” products (which encompasses “stored value”) including OF AC 
screening, transaction testing, and monitoring for suspicious activity. In addition, 
many prepaid card program managers, distributors, and organizations that perform 
specific functions relating to processing or distributing network branded prepaid 
cards, are regulated by State banking departments as money transmitters or check 
sellers. As such, they also are subject to exam, review, and oversight. State regu- 
lators are increasingly requiring money transmitters to: 

(1) Register as Mobs with FinCEN, 

(2) Have AML policies that address customer due diligence, OFAC screenings, 
and suspicious activity monitoring, and 

(3) Have independent reviews of their AML policies. 

Altogether, there are over 50 laws/regulations that apply to network branded pre- 
paid cards. The applicability of these laws/regulations depends on a number of fac- 
tors including the charter of the financial institution issuer. 

Myth No. 2: Prepaid cards are “ideal” for money laundering . — Network branded 
prepaid cards are actually less useful for money laundering than many other pay- 
ment products for the following reasons: 

• The value associated with network branded prepaid cards issued in the United 
States consists of funds held in a bank account in the United States. These 
funds can — at any time — be frozen by the card issuer and/or forfeited entirely. 
Unlike “bearer instruments” or chip-based cards, where whoever holds the prod- 
uct also holds the value, network branded prepaid cards keep the value sepa- 
rate, making the products less attractive to criminals. 

• All network branded prepaid cards are processed through an on-line system 
that requires electronic authorization from the payment network prior to com- 
pleting a purchase transaction at the point of sale or obtaining cash from an 
ATM. 

• The system enables card issuers to decline an authorization and/or to cancel the 
ability to use a prepaid card. The ability of the card issuer to terminate a card’s 
usefulness, without requiring possession of the card, is critical — and is a feature 
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not shared by most traditional payment products. The on-line system tracks and 
records every use of every network branded prepaid card. Unlike paper payment 
products (such as checks, travelers checks, money orders, and cash), network 
branded prepaid cards leave a traceable trail of use including place, time, date, 
amount, and often the nature of the transaction. This trail has already assisted 
law enforcement in tracking illicit activity through use of prepaid cards. 

• If a network branded prepaid card issuer identifies unusual or suspicious activ- 
ity, the card can be blocked from further use. Card programs routinely monitor 
card activity and, as appropriate, file suspicious activity reports (SARs) or notify 
law enforcement. 

Myth No. 3: Network branded prepaid cards can be both anonymous and permit 
ATM access, with liberal load limits or no limits on the amount of cash that can 
be accessed. — Today, “anonymous” (meaning that no identifying information is ob- 
tained from the purchaser and verified) network branded prepaid cards are limited 
to the gift or reward card category (although many network branded gift/reward 
cardholders are identified and verified as well). Such anonymous gift/reward cards 
have significant restrictions that minimize risk of misuse such as a relatively low 
maximum dollar value, no ability to access cash through ATMs, and no ability to 
load additional funds after the initial funds are depleted. In addition, some issuers 
restrict usage of anonymous cards to the United States. 

Myth No. 4: Prepaid card issuers do not require Customer Identification Programs 
(CIP) nor OF AC screening for individual prepaid cardholders. — Reloadable, cash-ac- 
cessible network branded prepaid cards are not available anonymously. Issuers rou- 
tinely subject individuals purchasing such cards to CIP and OFAC screening, to the 
same extent as is required for financial institutions opening “accounts” under the 
Bank Secrecy Act. These verification and screening procedures are identical to those 
conducted when any on-line bank account is opened. 

Myth No. 5: A consumer can use cash to purchase a high-value, reloadable network 
branded prepaid card from a j-hook and use it anonymously. — When a consumer 
purchases a reloadable network branded prepaid card from a j-hook in a retail loca- 
tion, a process called “activation” is typically required before the cardholder may use 
the card for a purchase or to access cash. In other words, although the consumer 
may purchase the card without identity verification, he/she may not use the card 
until the identity verification process is complete. The activation process typically 
involves the cardholder telephoning the card issuing financial institution (or a spe- 
cialized organization with which the issuer has contracted) and providing personal 
identification information. The financial institution then verifies various elements of 
customer information including name, address, Social Security Number, and/or date 
of birth using a third-party authentication system such as Experian, Lexis-Nexis, 
or Equifax — just as they would a bank account. The issuer also screens customers 
against the OFAC Specially Designated Nationals list. If the cardholder does not 
“pass” this process, the card is either not usable or not reloadable. 

IV. THE NBPCA’S ANTI-MONEY LAUNDERING RECOMMENDED PRACTICES 

In February 2008, the NBPCA released its “Recommended Practices for Anti- 
Money Laundering Compliance for U.S. -based Prepaid Card Programs.” The docu- 
ment provides recommendations for all network branded prepaid card industry par- 
ticipants to support compliance with the U.S. Bank Secrecy Act (BSA) anti-money 
laundering (AML) program requirements. It recommends how to implement internal 
controls, monitor and manage third parties involved with prepaid card processes 
and mitigate risks associated with money laundering. 

To ensure the document addresses the questions and concerns of law enforcement 
and Government agencies, the NBPCA has and will continue to maintain an open 
dialogue with Federal, State, and local regulatory agencies as well as law enforce- 
ment officials. The document address risks identified through information sharing 
between the industry and critical agencies that monitor financial crime. “Rec- 
ommended Practices for Anti-Money Laundering Compliance for U.S. -based Prepaid 
Card Programs” is a practical guide to setting up, implementing, and auditing a 
compliance program. It covers the following areas: 

1. How to conduct a risk assessment. 

2. How to establish a set of internal controls to achieve compliance with AML 
program requirements of the BSA. 

3. Federal reporting requirements and red flags to look for with respect to sus- 
picious activity. 

4. Adopting and implementing programs to comply with know your customer re- 
quirements. 
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5. Reducing risk when working with non-financial institutions, third-party 
agents, and processors. 

6. How to implement independent compliance testing. 

7. Training program guidelines for key personnel. 

The NBPCA has made “Recommended Practices for Anti-Money Laundering Com- 
pliance for U.S.-based Prepaid Card Programs” available to anyone in the prepaid 
card industry. The report, which can be downloaded from the NBPCA Web site at 
www.nbpca.com, has been widely praised and was well-received both by Govern- 
ment and private entities. 

V. THE NBPCA’S ROLE ON THE BANK SECRECY ACT ADVISORY GROUP (BSAAG) 

In 2008 the NBPCA was selected for membership in the Bank Secrecy Act Advi- 
sory Group (BSAAG), a group made up of industry representatives, regulators, and 
law enforcement, implemented by an act of Congress. BSAAG’s role is to advise the 
Department of Treasury’s Financial Crimes Enforcement Network (FinCEN) on 
matters related to anti-money laundering risks and Bank Secrecy Act compliance. 
In addition to its role on BSAAG, the NBPCA co-chairs the Stored Value Sub- 
committee, a subcommittee focused on the potential risks presented by prepaid 
cards and the ways to mitigate those risks. 

VI. RISKS PRESENTED BY DATA SECURITY BREACHES 

Data security breaches and the misuse of consumer account information by crimi- 
nals and money launderers is an increasing problem for the U.S. payment system. 
Because network branded prepaid cards use the same card payment infrastructure 
as credit cards, prepaid cardholders can be victims of such data security breaches. 
However, because prepaid cards are not connected to an individual’s bank account 
or credit card accounts, the risks posed by such data breaches tend to be far less 
for prepaid card issuers than they are for credit and debit card holders. This is one 
of the reasons consumers who also use credit and debit cards, are attracted to pre- 
paid card use as any breach of the card limits access to only the balance available 
on the card. And of course, like credit and debit cardholders, most network branded 
prepaid card holders are protected against losses from unauthorized use, thanks to 
the card brands’ “zero liability” policies which are incorporated into the payment 
network operating regulations governing issuers. 

VII. CONCLUSION 

Network branded prepaid cards are a new and valuable payment product for con- 
sumers, businesses, and Government. As with any payment product, network brand- 
ed prepaid cards can be misused by the criminal element. Nevertheless, the NBPCA 
has long encouraged practices that reduce the opportunities for prepaid cards to be 
used in illicit activities. Prepaid cards are vital and important products which serve 
a substantial number of people, including those that are under-banked and would 
have no other connection to the banking infrastructure so critical to daily life in the 
United States. The NBPCA continues to support national and international efforts 
to combat money laundering, terrorist financing, and financial crime. We are also 
committed to ensuring that our products are available to help consumers and busi- 
nesses maintain access to the payment system, have secure and protected payment 
products, and reduce costs and inefficiencies for consumers, businesses, and govern- 
ment. 

Ms. Clarke. I now ask each witness to introduce yourself and 
summarize your statement for 5 minutes beginning with Mr. 
Russo. 

STATEMENT OF ROBERT RUSSO, DIRECTOR, PAYMENT CARD 
INDUSTRY DATA SECURITY STANDARDS COUNCIL 

Mr. Russo. Thank you, Chairwoman Clarke. Thank you for the 
opportunity to testify on the critical issue of payment card data se- 
curity. Payment card fraud concerns every American and, in a glob- 
al economy, every consumer worldwide. The payment card system 
is one that manages billions of transactions representing trillions 
of dollars moving across a global network. Reducing payment card 
fraud and constantly innovating to stay ahead of it is a critical 
challenge. 
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The PCI Security Standards Council was formed in 2006 just for 
that purpose. Our mission is to protect cardholder data from crimi- 
nal elements who constantly manufacture new and inventive ways 
to compromise security systems. 

At the center of our efforts to do this are three standards. Let 
me tell you about each. 

First, the PCI Data Security Standard, or the DSS, is a set of 
12 security practices based on six core principles. The DSS covers 
everything from securing applications, to networks, to their perim- 
eters, to maintaining an incident response plan. 

Second, our payment application data security systems is de- 
signed to ensure that payment applications, which are found in 
many retailers, are not storing sensitive payment card data. 

Third, the PIN security requirements ensure that the PIN entry 
devices, devices that you may see at a checkout line to enter your 
PIN number, have been designed to properly encrypt the cus- 
tomer’s PIN and are tamper-proof. 

But new threats continue to emerge. That is why development 
and review of the PCI standards is a critical process and why the 
PCI Security Standards Council takes it seriously. We engage our 
community of participating organizations, more than 500 mer- 
chants, processors, financial institutions, technology companies, 
Government, academia, and trade associations worldwide to ensure 
our standards meet the latest threats, and when new threats 
emerge we have mechanisms to take swift action. 

These include regular updates to our testing procedures, monthly 
Webinars with both assessors and merchants; flash bulletins on 
emerging threats; as well as on-going updates to the standards 
themselves. 

Our goal is simple: To have every organization that stores, proc- 
esses or transmits cardholder data do so in accordance with the 
PCI standards. I have no doubt that compliance with the PCI 
standards is an entity’s best line of defense against payment card 
data compromise. In fact, we have never found a breached entity 
to have been in full compliance with the PCI standards at the time 
of a breach. 

But we also recognize that the dynamic nature of any organiza- 
tion can render a validated system noncompliant almost imme- 
diately after a satisfactory compliance report has been issued. Ef- 
fective security is not a one-time snapshot, but really a full-length 
feature film where the organization is compliant at each and every 
frame. 

No standard is perfect. But the PCI security standards have 
proven to be the most effective means of preventing data breaches 
and protecting consumers. 

One final point. In order to assist organizations with maintaining 
and achieving compliance with our standards, the Council provides 
a wide range of resources. For example, the on-going training, ap- 
proval and quality assurance of qualified security assessors; a 
worldwide network of professionals that conduct on-site compliance 
assessment; the validation of a worldwide network of approved 
scanning vendors who do remote scanning of networks, secure 
them against network threats; and finally, an education program 
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that includes printed materials, on-line resources, Webinars and 
face-to-face training sessions. 

Payment card fraud is a serious concern demanding a serious, 
continuous and vigorous response. The PCI Security Standards 
Council has made its sole mission the securing of cardholder data. 
Thank you and I look forward to answering your questions. 

Ms. Clarke. Thank you for your testimony. 

[The statement of Mr. Russo follows:] 

Prepared Statement of Robert Russo 
March 31, 2009 

INTRODUCTION 

Chairwoman Clarke, Ranking Member Lungren, Members of the subcommittee, 
thank you for the opportunity to testify on the important issue of payment card data 
security. 

My name is Bob Russo and I am the general manager of the PCI (Payment Card 
Industry) Security Standards Council. The Council is an industry standards body 
responsible for developing security standards that merchants (such as retailers, 
transportation companies, hotels, etc.) and payment card transaction processors use 
to protect customers’ payment card data as it is stored, processed, or transmitted 
from the point of sale to the card issuer for authorization and subsequent proc- 
essing. 

Payment card fraud is something that concerns all of us, both businesses and con- 
sumers alike — from the pizza shop down my street to the country’s largest retailers; 
from a single parent who manages the household finances to the businesswoman 
who conducts trade globally. For the consumer, having one’s card data stolen can 
be an inconvenient and stressful experience, even though here in the United States 
the consumer normally bears no liability for any ensuing fraudulent transactions. 
It is also very costly for financial institutions that have to mitigate the damage asso- 
ciated with a payment card compromise, and for businesses that can lose customer 
confidence and suffer damage to their reputations. Data theft impacts everyone in 
the payment stream. 

The PCI Security Standards Council was formed with the intent of providing tools 
and resources to protect payment card data from all threats, regardless of motiva- 
tion. In the less than 3 years since our formation, we have made tremendous strides 
toward this goal — and our efforts continue. We welcome the subcommittee’s interest 
in the topic of payment card data protection, and appreciate the Government’s on- 
going commitment to understanding and exploring the initiatives underway to con- 
tain and reduce fraud for consumers and businesses globally. We look forward to 
working with the subcommittee to continue to reduce payment card data com- 
promise and invite the subcommittee to use the Council as a resource as it develops 
policies to combat cybercrime. 

My testimony today will cover the background and history of the Council, how we 
came about, what we seek to do and with whom we work to develop and maintain 
the standards in a dynamic security environment. I will also detail some of the tools 
and resources we have made available to the market to enable businesses to secure 
payment card data wherever it is processed, stored, or transmitted. 

ABOUT THE PCI SECURITY STANDARDS COUNCIL 

The PCI Security Standards Council, LLC is a global forum for the on-going devel- 
opment, enhancement, dissemination, and implementation of security standards for 
payment card data protection. 

The Council was founded in September 2006 by the five major payment card 
brands: American Express, Discover, JCB, MasterCard, and Visa. Together, these 
five brands represent the vast majority of payment card transactions both Nation- 
wide and globally. In coming together, these organizations agreed to work together 
to develop and recognize one set of data security standards to protect payment card 
data that is stored, processed, or transmitted. 

Prior to the formation of the Council, each of the payment card brands developed 
their own set of requirements to ensure that the data of those carrying their respec- 
tive cards was maintained in a secure fashion. Consequently, retailers and other 
merchants expressed frustration at the challenges of securing payment card data in 
a way that was not universally recognized by all the payment card brands with 
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which they did business. Organizations involved in the payment process also high- 
lighted their desire for a mechanism to contribute to the payment card data security 
agenda and to provide input and gain insight into the security standards they would 
be using. It is for this reason that broad participation and transparency are core 
tenets of the Council’s operating principles. 

The Council is but one example of the hundreds of private sector-based entities 
that have been formed to develop voluntary consensus standards across virtually all 
branches of industry to serve new needs as they arise, thereby helping to ensure 
that businesses can conduct their operations responsibly at home, and competitively 
around the globe. This private sector role in standards development was mandated 
by Congress in 1995 by its enactment of the National Technology Transfer and Ad- 
vancement Act (Pub. L. 104-113) (“the Act”). The Act requires Government agencies 
to dramatically decrease the creation and use of “Government-unique” specifications 
in their procurement activities, and instead rely on voluntary consensus and private 
sector standards whenever possible, as well as to report, via the National Institute 
of Standards and Technology, their compliance with this directive. In 1998, the Of- 
fice of Management and Budget (OMB) updated Circular A-119 to provide addi- 
tional guidance to the Federal agencies on implementing the Act. Under the Act, 
Government agencies are requested to participate in developing voluntary consensus 
private sector standards to the extent that their resources allow. Consistent with 
this mandate, several governmental entities participate in the PCI Security Stand- 
ards development process. 

THE council’s mission 

The mission of the PCI Security Standards Council is to enhance payment card 
data security by developing and maintaining appropriate security standards and re- 
lated tools, and driving education and awareness of the critical importance of data 
security. Even though the Council is a business-focused organization, this mission 
has at its heart the protection of consumers. The Council works to provide the nec- 
essary tools and resources that organizations should use to protect their customers’ 
payment card data successfully. 

As discussed below, the Council achieves this end by enabling a sophisticated, 
global security infrastructure based upon five highly specialized and important 
mechanisms: 

1. Standards for implementation by both those that store, process, and transmit 
payment card data, as well as those that sell the devices and other equipment 
that access and transmit such data. 

2. Approval, training, and on-going quality assurance of a worldwide network 
of “Qualified Security Assessors” (QSAs) that conduct on-site assessments to de- 
termine whether those with access to payment card data are in compliance with 
applicable Council standards. 

3. Approval, training, and on-going quality assurance of a worldwide network 
of “Approved Scanning Vendors” (ASVs) that conduct remote scanning of net- 
works to determine whether those networks are secure against most network- 
based attacks. 

4. Training and approval of laboratories that can in turn approve certain prod- 
ucts to be in adherence with applicable Council standards. 

5. Training and education of payment process participants through classroom 
sessions, collateral material and webinars, so they are aware of the importance 
of protecting payment card data from emerging threats and can actively partici- 
pate in protecting themselves and their customers from attacks. 

HOW THE COUNCIL DIFFERS FROM OTHER PARTIES IN THE PAYMENT CHAIN 

As a standards body, the Council is responsible for developing and maintaining 
the security standards and other tools necessary to protect payment card data with- 
in the payment process. The Council publishes these standards for anyone to access 
but specifically for the payment card industry’s use in security and compliance pro- 
grams. It is important to distinguish between this role as standards custodian and 
industry body from those organizations that may validate compliance or enforce 
compliance through rules, rewards, or actions against parties not yet compliant with 
applicable security standards. 

The Council does not validate the compliance of any entity or vendor with its core 
standard, the PCI Data Security Standard (“PCI DSS”). Indeed, like any other orga- 
nization that develops voluntary consensus standards, it does not have the authority 
or mechanisms to enforce compliance to its standards. Consequently, the Council 
does not run standards compliance programs. Instead, each payment card brand 
maintains its own compliance programs based upon the Council’s standards, adding 
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their own stipulations and requirements for demonstrating compliance for those 
businesses that must comply. Therefore, the Council has no direct business relation- 
ships with those entities that store, process, or transmit payment card data, and 
does not have the responsibility or contractual right to validate compliance, enforce, 
or levy fines for non-compliance with the security standards that it publishes. Each 
of these roles is performed by the payment card brands. 

THE COUNCIL’S STAKEHOLDERS 

In order to be certain that the Council’s standards are as clear and comprehensive 
as possible, we seek input from a wide range of stakeholders as part of the stand- 
ards development process. For instance, the Council’s Participating Organization 
program is open to any organization involved in the payment chain — merchants, 
hanks, processors, Government, and academia. To date, more than 500 leading na- 
tional, regional, and global players are part of this effort. 

Participating Organizations provide the Council with real world insight and expe- 
rience in deploying security standards in the field, and have deep understanding of 
the challenges and threat vectors that security standards must address. Together, 
these Participating Organizations represent the people who are responsible for se- 
curely handling and defending consumers’ payment card data against attack on a 
daily basis, and therefore provide a valuable resource in feeding front-line threat in- 
formation into the Council. 

From among the Participating Organizations, a smaller group of 21 representa- 
tives are seated as the Council’s Board of Advisors every 2 years through an open 
election and appointment process. Two-thirds of the Board of Advisors are elected, 
with the remainder appointed to ensure adequate geographical and industry rep- 
resentation. These organizations act as spokespersons for their respective industries 
and regions and ensure that the Council is able to partner with industry at a very 
detailed and actionable level in the standards-setting process. The Board of Advisors 
is a critical enabler in our mission to secure businesses’ payment processes and con- 
sumers’ payment card data globally. 

Our current Board of Advisors is composed of leaders in their respective indus- 
tries such as Wal-Mart Stores, Inc., Microsoft, PayPal, First Data Corporation, and 
British Airways. The Board has worked tirelessly with the Council over the past 2 
years to highlight areas of need in the market, and to devise educational resources 
that are of immediate benefit to organizations looking to improve their security. 

I want to recognize here for the record the hard work of our Participating Organi- 
zations and Board of Advisors, all of whom contribute to the Council’s security 
standards in an entirely voluntary capacity. 

In addition to our Participating Organizations, the Council’s QSA and ASV com- 
munities, together numbering more than 250 companies worldwide, provide valuable 
insight from the front lines of examining merchants and processors systems. QSAs 
and ASVs are able to provide feedback on where the implementation challenges lay 
and when common security vulnerabilities appear. The Council is in constant two- 
way communication with this group through webinars, newsletters, and, of course, 
the Council’s annual QSA and ASV retraining and examination processes. 

THE PCI SECURITY STANDARDS 

The Council’s security standards — the tools it makes available for use by public 
and private sector entities to secure payment card data — are designed to protect 
specific parts of the payments process. The Council is constantly looking for new 
ways to secure the payment process and maintains a dialogue with its Board of Ad- 
visors and other industry stakeholders to bring new resources to the market to fur- 
ther protect consumer’s payment card data. As a result, since its inception in 2006, 
the Council has assumed management responsibility for several payment security 
standards in addition to the more-well known PCI DSS, with the mission of increas- 
ing payment card data security. I’d like to give a brief overview of the standards 
the Council currently manages and updates: 

PCI Data Security Standard 

The PCI Data Security Standard is a set of 12 detailed requirements designed 
around six principles fundamental to securing payment card data. At the heart of 
this standard is the requirement that organizations do not store sensitive payment 
cardholder information typically contained in the magnetic stripe on the back of the 
payment card. This is the information that criminals want to steal to create counter- 
feit cards. The fundamental principle of the PCI DSS is that organizations must not 
store sensitive data. Where information such as the Primary Account Number 
(PAN) or expiration date is stored, it must be rendered unreadable. This generally 
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means that it must be truncated, hashed, or encrypted, so that unauthorized access 
to such data will be of limited use to a criminal. 

Along with these fundamentals, the very detailed requirements of the PCI DSS 
cover areas ranging from securing applications, networks, and perimeters to main- 
taining up-to-date security patches and anti-virus software, to things like developing 
and maintaining an incident response plan and processes for an organization to fol- 
low in the event of a breach. 

The Payment Application Data Security Standard (PA-DSS) 

The Council developed this standard after feedback from our Participating Orga- 
nizations and member brands indicated that software applications represented a 
point of weakness in the payment chain. These payment applications range from 
touchscreen applications you might see used in a restaurant, to point-of-sale soft- 
ware used in ticketing kiosks in museums and theme parks. Unless otherwise re- 
quired by the customer demanding PA-DSS compliance, some of these payment ap- 
plications may be designed to store sensitive payment card data thereby under- 
mining an organization’s efforts to comply with the PCI DSS. The Council intro- 
duced a process that enables payment applications to be tested in laboratories to 
determine whether they are secure, not storing payment card data, and whether 
they are capable of helping, rather than hindering, an organization’s efforts to com- 
ply with the PCI DSS. The Council maintains a list on our Web site of validated 
payment applications that have been tested in and approved by laboratories for mer- 
chants to use in assessing their own applications and making informed purchasing 
decisions. 

The PIN Entry Device Security Requirements 

The PIN Entry Device security requirements have the same underlying principle 
as the PA-DSS. They are designed to enable organizations to protect consumer’s 
payment card data and ensure that PIN Entry Devices have been designed not to 
store payment card information, thus jeopardizing organizations’ PCI DSS compli- 
ance efforts. As a PIN Entry Device is a physical object, these requirements cover 
not just ensuring that a device does not store sensitive data, but also that it is 
tamperproof, and that, should the device be compromised, its contents will self-de- 
struct. 

The Council maintains a list at its Web site of approved devices that have been 
successfully tested in Council-approved laboratories for merchants to cross-reference 
against their own devices and to assist them in making informed purchasing deci- 
sions. The Council is currently working to expand the scope of this program to in- 
clude a broader array of device types, including unattended payment terminals such 
as ticket kiosks and self-service machines. 

Development and review of the PCI standards is a continuous process. In the case 
of the PCI DSS, the Council follows a defined 24-month life-cycle process that incor- 
porates a feedback period from stakeholders and allows for periods of review by the 
Council’s Board of Advisors, Participating Organizations, QSAs, and ASVs. 

While a planned life-cycle process is important, it is equally important that the 
Council be responsive to emerging threats. As a result, we have several mechanisms 
for on-going communications with assessors (QSAs and ASVs), merchants and other 
stakeholders to provide guidance as new threats emerge. These include: 

• Errata to the DSS itself; 

• Flash bulletins on emerging threats; 

• A monthly newsletter to the Assessor community with the latest threat infor- 
mation & corresponding changes required to the assessment process; 

• Regular updates to the ASV test scanning environment to reflect new threats 
emerging “in the wild”; 

• Monthly Webinars with both assessors and merchants; 

• Updates to the Council’s on-line searchable FAQ and training materials to en- 
sure they include the latest information on the threat landscape. 

THE NATURE OF THE COMPLIANCE CHALLENGE AND PROCESS 

Validation of compliance with the PCI Data Security Standard can only represent 
a snapshot in time that coincides with information shared with and interpreted by 
a QSA during the assessment period. Unfortunately, the dynamic nature of any or- 
ganization’s systems and network environments can result in a wide variety of ac- 
tions or inactions that can render a validated system noncompliant almost imme- 
diately after a satisfactory compliance report has been issued. As a result, effective 
compliance is a full-length feature film where the organization is “compliant” at 
each and every frame of that film. For that reason, the Council believes achieving 
and maintaining compliance with PCI DSS and continuous vigilance regarding other 
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security practices is an on-going process that must systematically be integrated into 
every organization’s development and operational practices and policies in order to 
serve as the best line of defense against a data breach. 

The evidence of data breaches demonstrates that criminal elements continue to 
manufacture new and inventive ways to compromise security systems, and we can 
assume that this will continue to be true. The Council, its members and others are 
working diligently to secure payment card data against increasingly experienced 
and organized criminals. In spite of the severity of this continually dynamic threat 
landscape, the Council believes achieving and maintaining compliance with the PCI 
DSS is the best line of defense against data breaches. 

It is important to note that the members of the Council report that they have 
never found an entity that has been subject to a data breach that was also in full 
compliance with the PCI DSS at the time of the breach. Nonetheless, there is no 
such thing as perfect security. An organization could very well be compliant on the 
day its QSA wrote its assessment report, but noncompliant thereafter, at the time 
of a data breach. Many things can cause the protection to break down — logging rules 
not being followed, delaying installation of software patches, installing untested 
software, etc. Any of these examples (and many more) may cause a previously vali- 
dated company to no longer be compliant, and therefore vulnerable to attack. Orga- 
nizations must not take solely a checklist approach to security, or rely on periodic 
validation on a specific day as their security goal, but must instead exercise contin- 
uous vigilance and maintain a strict security program that ensures constant and on- 
going PCI DSS compliance. 

THE FUTURE OF THE COUNCIL’S EFFORTS AND PAYMENT SECURITY 

To succeed in the fight against cybercriminals who target our payment systems 
will require the continued vigilance and work of all parties involved in the payment 
chain. No system is perfect, and while breaches can be expected to continue to occur, 
through our efforts and the pervasive adoption of the Council’s standards and the 
best practices it advocates, the work of these thieves will remain as difficult as pos- 
sible. 

When breaches do occur, the Council works with its member brands, forensics in- 
vestigators and, at times, through direct outreach to seek information from breached 
entities, to determine the root causes of the breach. If a need to strengthen the 
Standards or the Council’s Assessment programs is identified, we have mechanisms 
in place for taking swift action. 


CONCLUSION 

Once again, I want to thank Chairwoman Clarke, Ranking Member Lungren and 
the subcommittee Members for their oversight of this issue and for providing me 
the opportunity to testify on the important issue of payment card data security. We 
hope that those entities that handle payment card data take from this hearing the 
understanding of their responsibilities to consumers, shareholders, and society at 
large to increase focus on their payment security efforts. Using tbe PCI Security 
Standards should act as a baseline for their doing so. We also hope that many more 
of them will join us as Participating Organizations, willing to help shape the future 
of payment security standards based on their own experience of defending payment 
data against attack on a daily basis. 

Ms. Clarke. I now recognize Mr. Majka to summarize his state- 
ment for 5 minutes. 

STATEMENT OF W. JOSEPH MAJKA, HEAD OF FRAUD CON- 
TROL AND INVESTIGATIONS, GLOBAL ENTERPRISE RISK, 

VISA, INC. 

Mr. Majka. Chairwoman Clarke and Members of the committee, 
my name is Joe Majka. I am head of Fraud Control and Investiga- 
tions for Visa, Inc. I have been with Visa for over 12 years, and 
I have over 28 years of experience in corporate security investiga- 
tions and law enforcement, specializing in the area of financial 
crimes. 

I want to thank the committee for this opportunity to appear at 
today’s hearing and to explain who Visa is in our role as a leader 
in global data security. It is important to note that Visa’s funda- 
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mental role is to facilitate transactions between millions of con- 
sumers and businesses. Visa is not a bank and we do not issue pay- 
ment cards. Visa is a network that connects 1.6 billion global pay- 
ment cards, 29 million worldwide merchants, and over 16,000 fi- 
nancial institutions in 170 countries. 

Through electronic payment networks like Visa, the entire econ- 
omy benefits from a more transparent, cost effective, and secure 
commercial activity. 

I am pleased to be here to talk with you about data security and 
about the payment card industry data security standard in par- 
ticular. In our view, the best way to secure payments is by apply- 
ing two core principles. 

First, security must be a shared responsibility among all relative 
parties — law enforcement, payment companies, regulatory agencies, 
retailers, and others. Only together can we protect all parts of our 
shared system. 

Second, we must collectively apply multiple layers of security to 
protect the system. That includes measures applied at the card 
level such as card verification values or transaction alerts, and in- 
cludes measures applied at the point of sale, such as standards for 
secure devices and best practices for data storage, and it includes 
measures applied at the network level, including neural networks 
and fraud monitoring. 

One of the most effective layers we have collectively applied to 
date is the PCI Data Security Standard. Visa acquires all entities 
that store transmitter Visa card data to comply with the standards. 
To our knowledge, no organization that is fully implemented and 
maintained compliance with the standard has been a victim of a 
data compromise event. We believe full compliance with the stand- 
ard is a valuable component of a comprehensive security program 
and greatly reduces the risk of data compromise. 

While there have been a few instances where an entity that pre- 
viously validated compliance was a victim of a compromise, in all 
cases our review concluded gaps in the compromised entity’s PCI 
DSS controls were major contributors to the breach. 

Approximately 90 percent of the U.S. merchants and 80 percent 
of third-party processors have validated PCI compliance. These or- 
ganizations, like Michaels, deserve credit to enhancing their secu- 
rity practices to meet the minimum industry standard and for vali- 
dating their compliance on at least an annual basis. 

This month in Washington, DC, Visa held our third Global Secu- 
rity Symposium, a symposium on payment security where Visa 
called on system participants for continued industry investment, 
collaboration, and innovation to keep the electronic payment sys- 
tem secure for the future. At this summit we heard from numerous 
individuals and organizations who reaffirmed the importance of on- 
going compliance with the PCI standards. 

Visa has maintained a long-standing relationship with law en- 
forcement agencies over the years, supporting efforts to investigate 
and prosecute criminals committing payment card fraud. This rela- 
tionship continues and is stronger than ever today as Visa and law 
enforcement agencies work together to combat cybercriminals in to- 
day’s high-tech world. 
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Visa was a founding member of the U.S. Secret Service Elec- 
tronic Crimes Task Force in San Francisco and continues to ac- 
tively participate in U.S. Secret Service task force groups. Visa also 
works closely with the FBI Cyber Division, U.S. Postal Inspection 
Service, State attorneys general, and the Department of Justice 
Computer Crime and Intellectual Property Section. 

In 2004, Visa provided investigative support to law enforcement 
which resulted in the indictment and extradition of Roman Vega, 
one of the most significant high-level cybercriminals at the time. 
Visa continues to support high-profile investigations, including the 
arrests of criminals responsible for hacking into Dave and Busters 
and T.J. Maxx. Visa values our partnership with law enforcement 
and is committed to continuing to work closely with law enforce- 
ment to bring cybercriminals to justice. 

Protecting card holders is always a primary goal in responding 
to data compromise incidents. After learning of a data compromise, 
Visa immediately begins to work with the compromised entity, law 
enforcement, and the affected client financial institutions to pre- 
vent card-related fraud. 

In closing, securing consumer data within the U.S. economy is a 
shared responsibility, and every industry should deploy focused re- 
sources to protect consumer information within its care. We look 
forward to working with all participants to continue to develop 
tools to minimize the risk and the impact of data-compromise 
events. 

Thank you for the opportunity to be here today. I would be happy 
to answer any questions. 

Ms. Clarke. Thank you for your testimony. 

[The statement of Mr. Majka follows:] 

Prepared Statement of W. Joseph Majka 
March 31, 2009 

INTRODUCTION 

My name is Joe Majka. I am the head of Fraud Control and Investigations for 
Visa Inc. I have been with Visa for over 12 years and have over 28 years of experi- 
ence in corporate security, investigations, and law enforcement, specializing in the 
area of financial crimes. I want to thank the committee for this opportunity to ap- 
pear at today’s hearing and explain who Visa is and our role as a leader in global 
data security. Visa plays a unique role in the financial system, facilitating commerce 
among millions of consumers and businesses here and around the globe. It is impor- 
tant to note that Visa’s fundamental role is to facilitate transactions between con- 
sumers and businesses. Visa is not a bank. We do not issue payment cards (credit, 
debit, or prepaid), make loans to consumers, or set the interest rates or fees associ- 
ated with card usage or acceptance. Visa is a network that serves as the connection 
point between 1.6 billion global payments cards, 29 million worldwide merchants, 
and 16,600 financial institutions in 170 countries. In making these connections, Visa 
helps create significant value for each of the participants in our system. Consumers 
receive a more convenient, secure, and widely accepted way to make payments. Re- 
tailers benefit from the speed, efficiency, security, and reliability that only electronic 
payments can provide. They also receive guaranteed payment and can avoid the 
need to extend credit directly to their own customers. In fact, the entire economy 
benefits from electronic payments through more transparent, secure, and cost-effec- 
tive commercial activity. The Visa Payment System plays a pivotal role in advancing 
new payment products and technologies, including initiatives for protecting card- 
holder information and preventing fraud. 

We’re pleased to be here to talk with you about data security in the payment card 
industry and about the Payment Card Industry Data Security Standard in par- 
ticular. But, I want to put this discussion in the context of a multi-layered approach 
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to security that includes fraud control measures from the card, to the terminal, 
through to the Visa network. Visa understands that we must protect each link with- 
in our control and work with others to preserve the trust in every Visa payment. 
Visa is keenly focused on ensuring that payment products are not used to perpetrate 
identity theft or other criminal activity. Our goal is to protect consumers, mer- 
chants, and our client financial institutions from fraud by preventing fraud from oc- 
curring in the first place. To that end, Visa employs multiple layers of security, of 
which the PCI standard is an important one, but only one of many. We have taken 
a leading role in promoting cardholder information security within the payments in- 
dustry. Visa and our participating financial institutions also provide solutions to 
prevent fraud and protect cardholders in the event of a data compromise. These in- 
clude real-time fraud monitoring, identity theft assistance, consumer alerts, and 
zero liability for cardholders on fraudulent transactions. Visa provides sophisticated 
neural networks that enable our client financial institutions to block authorization 
transactions where fraud is suspected. Thanks to massive investments and innova- 
tive solutions, compromise events rarely result in actual fraud and fraud rates in 
the payments industry remain near all-time lows. 

The payment card industry, regulatory agencies, and law enforcement have indi- 
vidually and collectively taken extensive measures to prevent and mitigate the ef- 
fects of consumer information compromises. In this regard, Visa has required all en- 
tities that store, transmit, or process Visa card data to comply with PCI DSS stand- 
ards, has implemented incentives to encourage payment participants to make the 
significant investments needed to attain compliance, and has taken numerous steps 
to minimize the amount of cardholder data stored by system participants. 

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD 

PCI DSS was the first security standard adopted by the PCI SSC, but it has not 
been a static standard. The PCI Security Standards Council is charged with review- 
ing and updating the standard to ensure that it remains effective to protect card 
data, by incorporating input from stakeholders as well as technological develop- 
ments in the evolution of the standard over time. Visa recognizes that no set of 
standards can provide an absolute guarantee of security in a changing world, and 
PCI DSS is not an exhaustive list of all the security practices that may be effective 
to safeguard card data. To our knowledge, however, no organization that has fully 
implemented and maintained compliance with the PCI DSS has been the victim of 
a data compromise event. Therefore, we believe that full compliance with the stand- 
ard is a valuable component of a comprehensive security program and greatly re- 
duces the risk of data compromise. We also believe that PCI DSS controls are highly 
effective in mitigating the impact of data compromise events. 

Validating PCI DSS is a major milestone, but achieving and maintaining compli- 
ance requires companies to make an on-going commitment to keeping consumers’ 
data safe — 24 hours a day, 7 days a week, 365 days a year. While there have been 
a few instances where an entity that previously validated compliance was the victim 
of a compromise, in all compromise cases our review concluded that gaps in the com- 
promised entity’s PCI DSS controls were major contributors to the breach. As such, 
Visa continues to believe that standards validation is a valuable process that drives 
organizations to undertake the minimum steps necessary to protect cardholder data. 
While it is easy to focus on the failures that some entities have had with on-going 
compliance, we believe it is likely that many compromises have been prevented as 
a result of the strenuous efforts of merchants and processors to maintain compliance 
with PCI DSS. 


VISA SECURITY INITIATIVES 

Visa leads the payment industry in providing merchants and service providers 
with incentives to validate and comply with PCI DSS in order to ensure that they 
properly protect cardholder data. In particular, Visa launched a Compliance Accel- 
eration Program offering $20 million in incentive payments to promote compliance 
among the largest U.S. merchants that account for more than two-thirds of Visa an- 
nual transactions. Visa’s combination of incentive payments and potential fines ulti- 
mately drove the vast majority of large U.S. merchants to validate their initial com- 
pliance with PCI DSS and to revalidate annually thereafter. At this time, approxi- 
mately 90 percent of large U.S. merchants have validated PCI DSS compliance. Visa 
also publishes a list of service providers that have validated compliance with the 
PCI DSS, which has been the principal incentive in driving 80 percent of U.S. serv- 
ice providers to validate their compliance on an annual basis. These organizations, 
like Michaels, deserve credit for enhancing their security practices to meet the min- 
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imum industry standard and for validating their compliance on at least an annual 
basis. 

Visa has also made considerable strides toward eliminating the storage by mer- 
chants and processors of authorization data, which criminals covet to perpetrate 
fraud. This “prohibited” data includes full magnetic stripe information, the CW2 
or “Card Verification Value 2” and PIN. Visa has executed a “drop the data” cam- 
paign over the past 3 years to encourage merchants to discontinue storage of prohib- 
ited data and reduce overall cardholder data storage. Additionally, Visa developed 
security standards for payment application vendors to support merchants in their 
security efforts by driving vendors to reduce data storage and provide more secure 
payment application products. 

Visa has executed a robust data security educational campaign to engage payment 
system participants in the fight to protect cardholder information. This campaign 
includes training for financial institutions, merchants, and service providers. Most 
large merchants, including Michaels, have attended one of Visa’s security training 
seminars. Visa is also committed to educating system participants on emerging se- 
curity threats and publishes regular security alerts and bulletins, and holds semi- 
nars focused on data security and fraud mitigation. Visa has partnered with organi- 
zations like the National Retail Federation to promote data security among its mem- 
bers and commends the NRF and Michaels for their data security efforts. Visa out- 
reach also extends to participation in industry forums on data security, media cam- 
paigns, and partnerships with other industry groups made up of merchants, such 
as the U.S. Chamber of Commerce. This month in Washington, DC, Visa held our 
third Global Security Summit, a symposium on payment security where Visa called 
on system participants for continued industry investment, collaboration, and innova- 
tion to keep the electronic payment system secure for the future. The Global Secu- 
rity Summit reaffirmed the importance of on-going compliance with security stand- 
ards and highlighted opportunities to actively engage consumers in the process of 
fraud prevention through Visa’s transaction alerts and notifications service which 
can not only help consumers track and manage their accounts, but also provide an 
early warning of potentially fraudulent activity. 

COLLABORATION WITH LAW ENFORCEMENT 

Visa has maintained a long-standing relationship with law enforcement agencies 
over the years, supporting efforts to investigate and prosecute criminals committing 
payment card fraud. This relationship continues and is stronger than ever today, 
as Visa and law enforcement agencies work together to combat cyber criminals in 
today’s high-tech world. In 2002, Visa was a founding member of the U.S. Secret 
Service San Francisco Electronic Crimes Task Force and continues to actively par- 
ticipate in U.S. Secret Service task force groups in San Francisco, New York, and 
Los Angeles. Visa also works closely with the Federal Bureau of Investigation’s 
Cyber Division, United States Postal Inspection Service, State Attorneys General 
and the Department of Justice Computer Crime and Intellectual Property Section. 

In 2004, Visa provided investigative support to Federal law enforcement, which 
resulted in the indictment and subsequent extradition to the U.S. of Roman Vega, 
known on-line as “Boa”. Roman Vega was allegedly one of the most significant high- 
level criminals specializing in the on-line sale of stolen payment card data at the 
time. Visa has continued with our investigative support on other high-profile inves- 
tigations, including the Federal prosecution of Max Ray Butler known on-line as the 
“Iceman”, arrested by Federal agents in 2007 and the 2008 arrest of Albert 
Gonzales, Maksym Yastremskiy, and Aleksandr Suvorov for their scheme in which 
they hacked into Dave & Busters, Inc. restaurants. Visa also works closely with 
local law enforcement agencies and local retailers in supporting their effort to inves- 
tigate and prosecute street level criminals using payment cards to commit fraud. 
Visa values our partnership with law enforcement and is committed to continuing 
to work closely with law enforcement to bring cyber criminals to justice. 

RECENT COMPROMISE EVENTS 

After learning of data compromise events, Visa immediately begins working with 
the compromised entity, law enforcement, and affected client financial institutions 
to prevent card-related fraud. Visa notifies all potentially affected card-issuing insti- 
tutions and provides them with the necessary information so that they can monitor 
the accounts and, if necessary, advise customers to check closely all charges on their 
statements or cancel or reissue cards to their customers. Visa card-issuing institu- 
tions have the direct responsibility and relationship with cardholders, and because 
of Visa’s zero liability policy for cardholders, bear most of the financial loss if fraud 
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occurs. Visa financial institutions can best determine the appropriate action for each 
customer that might have been affected. 

Based on Visa’s findings following recent compromise events at Heartland Pay- 
ment Systems and RBS WorldPay, we have taken the necessary step of removing 
both companies from our on-line list of PCI DSS-compliant service providers. In ad- 
dition, we are activating our account data compromise recovery programs, which are 
in place to protect our system and help issuers recoup some of their losses from com- 
promise events. Visa is committed to working with these processors so they can be 
reinstated to this list upon successfully revalidating their compliance and Visa is 
not penalizing merchants that continue to utilize these processors. Protecting our 
cardholders was, and remains, Visa’s primary goal in responding to this incident. 

CONCLUSION 

In closing, securing consumer data within the U.S. economy is a shared responsi- 
bility, and every industry should deploy focused resources to protect consumer infor- 
mation within its care. In this regard, the payment card industry has done more 
than any other to provide stakeholders with the tools and guidance that they need 
to properly secure the data they are trusted to protect. Visa has led the industry 
in protecting cardholder data and stands ready to continue to support industry par- 
ticipants in our collective fight against the criminals that perpetrate card fraud. We 
look forward to working with all participants to continue to develop tools to mini- 
mize and eventually eliminate the risk of data compromise in our economy. Thank 
you for the opportunity to present this testimony today. I would be happy to answer 
any questions. 

Ms. Clarke. I now recognize Mr. Jones to summarize his state- 
ment for 5 minutes. 

STATEMENT OF MICHAEL JONES, SENIOR VICE PRESIDENT 
AND CHIEF INFORMATION OFFICER, MICHAELS STORES, INC. 

Mr. Jones. Good afternoon, Madam Chairwoman, Members of 
the committee. 

I have been in retail for 30 years, 20 in retail IT, the last 4 with 
Michaels, a $4 billion merchant. I wish I could say that attempting 
to follow the PCI mandates made me confident that credit card 
data is completely safe, but unfortunately that is not the case. This 
is because the mandates have been developed from the perspective 
of the card companies rather than from those who are expected to 
follow them. 

The PCI data and security standards are an extraordinarily com- 
plex set of requirements; they are very expensive to implement, 
confusing to comply with, and ultimately subjective both in their 
interpretation and in their enforcement. The program is rife with 
ambiguity and complexity. As an example, must every company as- 
sociate acknowledge the security policy of a company? All 40,000 of 
our associates, or just those involved with credit transactions? This 
one PCI mandate has been imposed by compliance vendors dif- 
ferently at retailers all across the country. 

We have been questioned by customers, legislators, and even the 
credit card companies themselves, why do you keep credit card in- 
formation at all? One reason we keep the information is related to 
another credit card company procedure designed to protect their 
banks from loss. It is called a chargeback. It can be initiated by a 
bank on its own, or it can be initiated at the request of the bank’s 
customer. 

For example, if a customer spots a charge on their credit state- 
ment that they don’t recognize, they can initiate a chargeback by 
contacting the issuing bank. The retailer is then charged with re- 
trieving sales media by card number. If the retailer is unable to 
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produce that sales media, or something on that sales media does 
not match, the retail sale is reversed, and the cost of the trans- 
action is charged back against the retailer. This is true even if the 
transaction may have actually been made. This could have been 
fairly easily solved using a unique approval ID for each trans- 
action, thus eliminating the need for credit card number storage by 
the retailer. 

PCI states that all credit card data must be encrypted. There is 
an exception to this requirement, however; PCI states that data 
traveling over a private network need not be encrypted. While a 
private network is more secure, I still would not choose to send 
credit card numbers through this number unencrypted. Why? Be- 
cause it adds unnecessary risk. However, the credit card compa- 
nies’ financial institutions do not accept encrypted transactions. 

We at Michaels have asked, for the past 3 years, for the ability 
to send encrypted information to the bank. To date, this has not 
happened. Why is this an issue? One might ask the consumers af- 
fected by the Heartland Payment Systems data breach, or TJX Cor- 
poration, for that matter. It has been suggested that methods used 
in those breaches capitalized on this flaw. 

What can be done to improve this situation? First, many of the 
PCI requirements are covered by the Sarbanes-Oxley audits. This 
causes a lot of duplicative work around proof of compliance and is, 
arguably, unnecessary. 

Second, the requirements are one-sided against the merchants. 
The very financial institutions that impose them are not subject to 
the mandates themselves. 

Third, the PCI Data Security Standards Council was allegedly 
spun off from the credit card companies and set up as an inde- 
pendent governing body of credit card company, bank, and mer- 
chant representatives. In fact, the council is set up so that credit 
card companies and banks retain all power over the ultimate man- 
dates, fines, and anything else connected to PCI. It is not an indus- 
try standards body. 

When a breach occurs, and card data is stolen, clearly the con- 
sumer potentially suffers the most inconvenience. Fortunately, the 
law provides that promptly reporting consumers must be held fi- 
nancially harmless. However, the largest financial impact is on the 
retailer, especially if the credit card company’s data — which, by and 
large, we do not want — is seized from a retail location. The retailer 
is in the press, the retailer is demonized, the retailer is threatened 
with damages and sanctions. The retailer pays the cost of the 
fraudulent transactions. All of this arises from rules that initially 
grew from a card monopolist that we have no choice but to do busi- 
ness with or risk the loss of a large portion of our business. 

We do not need more laws. The existing, sometimes misguided, 
enforcement and the proliferation of State regulations around these 
issues have created a difficult, if not impossible, environment for 
retailers. 

In conclusion, I am proud to report that Michaels has never had 
evidence of a breach of consumer data. Regardless of the outcome 
here, we will continue to do what is necessary to keep card data 
safe, but in the future we would be more secure, and the risks to 
us all far lower, were the card companies to take greater responsi- 
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bility for the inadequate system of payment they have created and 
asked us to use. 

Thank you. I am happy to answer any questions. 

[The statement of Mr. Jones follows:] 

Prepared Statement of Michael Jones 
March 31, 2009 

Good afternoon, Madam Chairwoman, fellow committee Members, and distin- 
guished panel members. I am Michael Jones; I serve as the senior vice president 
and chief information officer (CIO) for Michaels Stores, Inc. reporting to the chief 
executive officer. Thank you for inviting me to discuss the security aspects of credit 
cards as they impact consumers at retail locations and especially at Michaels. 

Michaels Stores, Inc. is the largest specialty retailer of arts and crafts. With more 
than 1,000 stores in the United States and Canada, the company carries a wide se- 
lection of arts and crafts merchandise. Michaels also operates specialty stores under 
different brand names, including Aaron Brothers and Artistree manufacturing facil- 
ity. We have annual revenues approaching $4 billion. 

I have been with Michaels Stores in my current role for 41/2 years. I held the CIO 
position at Hollywood Video prior to Michaels for over 3 years. Prior to that I spent 
over 12 years at Kmart, and Kmart-related companies, in various leadership posi- 
tions in retail technology. I have been in the retail and restaurant industry since 
graduate school, and indeed, since my sixteenth birthday. 

I appreciate the committee’s invitation to provide a retailer’s view of the state of 
credit card security. In addition to my own experience I often communicate about 
this issue with my peers at retailers, restaurants, and other establishments that 
take credit cards from consumers as a form of payment. My comments today are 
informed by those discussions as well. 

At Michaels the customer is at the center of everything we do. Her loyalty and 
patronage of our stores is something we can not afford to lose for any reason. We 
always want her to feel safe and secure when she is in our stores, with the products 
we sell, and with the payment mechanism she chooses: Whether that be cash, 
checks, debit cards, gift cards, travelers checks, or credit cards. For many years we 
have implemented security standards and processes to protect our customers and 
their important financial information, with our preference always being to keep the 
least amount necessary to satisfy the payment process. Losing the trust of our cus- 
tomers because we can not safeguard their information is a risk we would not take, 
regardless of what mandates are imposed on us by an outside organization. 

Michaels Stores, Inc. is a PCI-certified organization and has been almost since the 
initial imposition of the standard (i.e., prior to the date where fines were threatened 
for non-compliance). 

I wish I could say that attempting to follow the PCI mandates made me confident 
that one could say customers’ credit card data is completely safe, but unfortunately 
that is not the case. That is because the mandates seem to have been developed 
from the perspective of the card companies, rather than from that of those who are 
expected to follow them. 

The PCI Data Security Standards are an extraordinarily complex set of require- 
ments. They are very expensive to implement, confusing to comply with, and ulti- 
mately subjective, both in their interpretation and in their enforcement. It is often 
stated that there are only twelve “requirements” for PCI compliance. In fact there 
are over 220 sub-requirements; some of which can place an incredible burden on a 
retailer and many of which are subject to interpretation. 

For example, one of the requirements is that all company associates must annu- 
ally acknowledge the company security policy. Michaels has an average of 40,000 
associates at any given time. In any one week we could have more then 1,000 
changes in associates. Well, as you might expect, many of our associates are getting 
trained on the range of our merchandise, the operation of the registers, fire safety 
protocols, and other important procedures to assist our customers and protect our 
operations. So do we also need to get every associate to learn and sign a written 
statement of our understanding of the credit card companies’ security policy? Or do 
we just need to get associates that may deal with credit cards to sign? This one little 
PCI mandate has been imposed by compliance vendors differently at retailers across 
the country both because of its subjective interpretation, and the inability for any 
large merchant to meet the standard in its most literal form. 

We have often been questioned by customers, legislators, and even the credit card 
companies themselves: “Why do you keep credit card information at all?” It would 
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seem with the risk of a breach from the outside or from within, we would be better 
served not to keep the data at all. We agree completely. As a retail CIO, I would 
like nothing better than to not store a single credit card number anywhere in our 
network of systems. 

The reason we must still keep credit card information is related to the results of 
another credit card company procedure designed to protect their banks from loss. 
It is called a chargeback. It can occur in a number of different ways. It can be initi- 
ated by a bank on its own, or it can be initiated at the request of a bank’s customer. 
For example, if a customer spots a charge on his bill that he does not recognize he 
might initiate a chargeback by contacting his card issuing bank. The card-issuing 
bank asks the merchant’s bank to retrieve documentation proving that the purchase 
took place. The merchant’s bank then requires the retailer to produce the under- 
lying documentation for the sale — typically sales media showing the customer’s cred- 
it card number, signature, and date of purchase. The merchant’s bank forwards the 
information back to the card-issuing bank. Often, once the customer sees the under- 
lying documents he remembers the purchase and the matter is closed. (Confusion 
might occur, for example, if the formal name of the business on the customer’s 
monthly statement — e.g. the XYZ Medical Complex — is different from the name of 
the business where the customer received services — The Offices of Dr. MDA. ) 

However, if the retailer is unable to produce the sales media, the sale is reversed 
and the cost of the transaction is “charged back” against the retailer. This is true 
even if the transaction were actually made. As I mentioned, banks can also initiate 
retrieval requests for documentation on their own — it does not have to be triggered 
by a customer. If the retailer cannot produce the underlying data, the cost of the 
purchase is taken from the retailer and credited back to the card-issuing bank. 

We have a department in Michaels dedicated to handling chargebacks. 
Chargebacks may be for a single transaction or an entire block of transactions. 
Card-issuing banks file retrieval requests that come to us. We must first look up 
the charge on our systems to match the transaction and identify the store location 
where the transaction took place (this is what we need the credit card number for). 
We then initiate a request to the store to “pull” the receipt for that transaction. 
Since we do not have an electronic signature system we have to get the paper re- 
ceipt. We then submit that back to the bank along with the original request. If the 
bank/credit card company determines that the charge was not made by the customer 
(this is pretty much at their discretion and we have little effective recourse), then 
we are charged back the amount of the transaction, plus a processing fee. 

Thankfully at Michaels, chargebacks are not a very large problem, but my breth- 
ren at big ticket companies are not so lucky, as I know from my previous work expe- 
rience. We could choose to take the hit and just accept the chargebacks as a cost 
of doing business so we would not need the credit card number stored but, over 
time, as word of our vulnerability spreads among the unscrupulous, this would like- 
ly cause an increase in chargebacks to the point where we could no longer sustain 
the losses. 

This could have been fairly easily solved and saved retailers hundreds of millions 
of dollars by having the credit card companies send retailers a unique approval ID 
back for each approval transaction. We could store that ID and a signature, and if 
there were a question on the transaction the unique approval ID would indicate how 
we locate the transaction. This would eliminate the need for us to store the credit 
card number, but still enable us to respond to retrieval requests. This method would 
have required changes for retailers, credit card companies, and the banks, but the 
overall expenditure would have been much less and the consumer data would be 
much safer. 

PCI states that all credit card data must be encrypted. This is a very important 
component of any data security standard, and one we use for sensitive data all 
across our organization. There is an exception to this requirement, however. PCI 
says that data traveling over a “private network” need not be encrypted. It does not 
state that it can’t be, just that it need not be. I have been told that in theory a 
private network is “more secure” than one that is not private. Well, there is no ques- 
tion about that. A land-line data communication connection that is direct between 
two organizations is certainly more secure then one that traverses the internet or 
a wireless network. Michaels has a private network between our stores and cor- 
porate headquarters. This network is also isolated from our other networks in the 
headquarters and the internet. Access is extremely limited. It is private and secure, 
and we continually look for ways to make it more secure; after all this is the net- 
work millions of our customers’ credit card numbers traverse every year. The secu- 
rity of this network is paramount and probably at least two-thirds of the PCI re- 
quirements deal with this very subject. 
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Yet I would still not choose to send my customers’ credit card numbers through 
this network unencrypted. Why? They are encrypted at the pin pad or register by 
mandate of the standard. It only makes sense that we would keep this information 
encrypted through our entire network. 

Unfortunately this is where the system breaks down. The credit card companies’ 
financial institutions, the very organizations that have created and are mandating 
this rigorous and highly complex standard, do not accept encrypted transactions. We 
must decrypt the credit card number at our corporate headquarters prior to sending 
to the merchant bank for approval! 

The transaction is then returned to us un-encrypted and we then re-encrypt it to 
send back to the store. We, at Michaels, have asked for the past 3 years for the 
ability to send encrypted information to the bank. To date, this has not happened. 
We have heard various ancillary responses to the request such as, “It is too expen- 
sive to implement”; “If you (i.e. the retailer) are willing to pay the costs (i.e. the 
credit card banks’ cost) to implement it we will consider it”; to “It would be too dif- 
ficult to implement a standard encryption routine in the industry.” 

Why is this the case? One might ask all the consumers affected by the Heartland 
Payment systems data breach, or TJX Corporation for that matter. It has been sug- 
gested that methods used in those breaches capitalized on that flaw. The criminals 
used a “Trojan Horse” that read the credit card data “in flight.” This is not the 
stored data I spoke of earlier, but rather the numbers that were flowing through 
the communication channel for approval. One reason thieves could capture this data 
is because it was not encrypted. Had it been encrypted they would most likely not 
have been able to read the data. 

Now there are several requirements in the PCI standards for “scanning” systems 
that look for these types of Trojan Horses. But this is not an ordinary virus that 
is written and sent to millions of PCs via e-mail. These are incredible technical pro- 
grams often designed by organized crime syndicates with technical resources that 
dwarf those of the average company. And with just one inside source in a company 
they can be made virtually invisible. So why take the chance? 

So, are the PCI standards bad? No, however there are some major issues with 
both the program and the way in which it is implemented. 

First, many of the requirements of PCI are already covered in many companies’ 
Sarbanes-Oxley audits. This causes a lot of duplicative work around proof of compli- 
ance, and is arguably unnecessary. 

Second, the requirements are one-sided against the merchants. The very financial 
institutions that impose them are not subject to all the mandates themselves. The 
idea that these organizations don’t “need” to be audited because they are already 
held to an audited examination standard is inconsistent with the arguments they 
make to us (i.e., Sarbanes-Oxley). 

Third, The PCI Data Security Standards Council was allegedly spun off from the 
credit card companies and set up as an independent governing body of credit card 
company, bank, and merchant representatives. In fact, the council is set up so that 
the credit card companies and banks retain all power over the ultimate mandates, 
fines, and anything else connected to PCI. Because of this, the mandates do not rep- 
resent what is the “best” security, but rather what is best for the credit card compa- 
nies and their financial institution partners. 

When a breach occurs and card data is stolen, clearly the consumer potentially 
suffers the most inconvenience. Fortunately, the law provides that promptly report- 
ing consumers must be held financially harmless. 

However, the largest financial impact is on the retailer, especially if the credit 
card companies’ data (which by and large we don’t want) is seized from a retail loca- 
tion. We are the ones in the press; we are the ones who are demonized; we are the 
ones States’ attorneys general and others threaten with damages and sanctions. 
Consumers may make decisions not to shop at a breached retailer not realizing that 
it was the card company processes that caused the data to be placed at risk. 

The retailers pay the costs of the fraudulent transactions, either through 
chargebacks or credit card company-imposed fees and penalties. All of this arises 
from rules that initially grew from a card monopolist that we have no choice but 
to do business with, or risk the loss of a large portion of our business. It would be 
impossible for a retailer like Michaels to survive without taking Visa. So we, like 
other retailers, swallow the tens of millions we have spent to become PCI-compliant, 
in many cases unnecessarily spent, which both reduces profitability and increases 
the costs of everything we, the merchant, sells. 

Is credit card data any safer now than it was before PCI was put in place? Yes. 
Would it be had PCI not been put in place? Probably. Could the consumers’ data 
be safer then it is right now? Most definitely! 
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But we do not need more laws. The existing (sometimes) misguided enforcement 
and the proliferation of State regulations around these issues have created a dif- 
ficult, if not impossible, environment for retailers to effectively meet the legal re- 
quirements imposed on them should a breach of information occur. 

Madam Chairwoman, committee Members, and distinguished panel and guests, if 
I can leave you with but one message, it is that the precepts underlying the massive 
dissemination of credit card data need to be rethought. As a CIO, I was informed 
by one of the top security officers of a major credit card company that based on their 
analysis our company credit card data had been breached. Although I thought this 
unlikely, they told me that they had never been wrong. After an agonizing week of 
internal research, twice daily “all hands on deck” calls, many, many dollars and 
hours spent, the voice at the other end of the line went dead. The next day a breach 
of over 40 million credit card numbers was announced at a bank processor. Our “in- 
cident” apparently showed that the card company’s analysis at that time had not 
counted on breaches of such magnitude, since we were later told that the data which 
had triggered all of our activity was more likely a subset of “another issue” they 
were dealing with. 

I am proud to report that Michaels has never had evidence of a breach of con- 
sumer data. Regardless of the outcome here we will continue to do whatever is nec- 
essary and prudent to keep the loyalty of our customers for, without that, we cease 
to exist. But the future would be more secure and the risks to us all far lower were 
the card companies to take greater responsibility for the inadequate system of pay- 
ment they have created and asked us to use. 

Thank you. I am happy to answer any questions you may have. 

Ms. Clarke. Thank you for your testimony. 

I now recognize Mr. Hogan to summarize his statement for 5 
minutes. 

STATEMENT OF DAVID HOGAN, SENIOR VICE PRESIDENT, RE- 
TAIL OPERATIONS, AND CHIEF INFORMATION OFFICER, NA- 
TIONAL RETAIL FEDERATION 

Mr. Hogan. Thank you, Chairwoman Clarke and Members of the 
committee, for this opportunity to appear on behalf of National Re- 
tail Federation, the world’s largest retail association. I have been 
with the NRF for almost 7 years and have spent my entire 25-plus- 
year career in retail information technology. 

Whether it be by cash, check, or plastic, the payment mechanism 
is really just a means of accomplishing business. Retailers accept 
credit cards for payment, in part because they have been assured 
by the credit card companies that if they follow a limited number 
of steps, they will be given a guarantee of payment. Most retailers 
are not in the payment-acceptance business any more than their 
customers are in the payment-delivery business. 

There have been two big developments in the last decade or so 
that have changed the playing field. The first has been the rapid 
proliferation of general purpose credit cards. With over 80 percent 
of the market share, Visa and MasterCard are two primary exam- 
ples, these cards issued broadly by banks in the hope that each 
card will generate income for them. 

The second change has been society’s increased computerization. 
Globally there have been numerous instances of hackers from out- 
side of our borders accessing computer systems, stealing credit card 
information, and then using this data to commit fraud. In several 
cases these have targeted companies that process or store credit 
card data. 

As with the growth of on-line shopping fraud, these develop- 
ments presented the card industry with a challenge. In response, 
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they introduced what they call the Payment Card Industry Data 
Security Standard, also called PCI. 

PCI is an attempt to prevent large stockpiles of credit card data 
from getting into the wrong hands. However, the PCI guidelines 
are onerous, confusing, and constantly changing. Indeed, PCI is lit- 
tle more than an elaborate patch. 

The premise behind PCI, that millions of retail establishments 
will systemically keep pace with ever-evolving sophistication of to- 
day’s professional hacker, is just not realistic. Our industry has 
spent billions on compliance programs related to data security. PCI 
protocols have required many merchants to scrap good existing 
data security programs and replace them with different security 
programs that meet PCI rules that aren’t necessarily any better. 
Even companies that have been certified as PCI-compliant have 
been compromised. 

Unfortunately, the economic incentives for the card companies to 
remedy these flaws in their system have been diminished. It ap- 
pears to our industry that the credit card companies are somewhat 
less interested in improving their product and procedures than 
they are in reallocating their fraud costs. In our view, if you peel 
back the layers around PCI, you will see it for what it really is, 
a tool to shift risk off the banks and credit cards’ balance sheets 
and place it on others. It is their payment card system, and retail- 
ers, like consumers, are just users of their system. What is really 
ironic here is that merchants are forced to store and protect credit 
card data that many don’t want to keep anyway. The credit card 
companies’ own rules around retrieval requests essentially require 
merchants to keep credit card data for extended periods of time. 

As I mentioned, all of us, merchants, banks, credit card compa- 
nies and our customers, want to eliminate credit card fraud, but if 
the goal is to make credit card data less vulnerable, the ultimate 
solution is to stop requiring merchants to store credit card data in 
the first place. In fact, we proposed such changes to the PCI Secu- 
rity Standards Council back in 2007. The card industry dismissed 
our proposal without addressing its merits. 

There have been numerous suggestions made over the years that 
would significantly reduce the chances of major data breaches, but 
none of them have been adopted yet. Here are just a few. 

First, go on record and stop requiring merchants to store credit 
card data and eliminate any penalties they impose for not doing so. 

Another, change the system and allow consumers to enter in a 
pin or personal identification number for credit card transactions, 
just like you do with debit card transactions. 

Third, quickly develop and roll out the next generation of credit 
card and give merchants the hardware and software necessary to 
handle these new products. 

In conclusion, once the payment system itself becomes a burden, 
commerce inevitably suffers. We believe any one of these rec- 
ommendations will significantly reduce credit card fraud. 

Thank you for the opportunity for appearing in front of this com- 
mittee. I will be happy to answer any of your questions. 

[The statement of Mr. Hogan follows:] 



42 


Prepared Statement of David Hogan 
March 31, 2009 

Thank you Chairwoman Clarke, Members of the committee. My name is Dave 
Hogan. I am senior vice president, chief information officer for the National Retail 
Federation. 

By way of background, the National Retail Federation (NRF) is the world’s largest 
retail trade association, with membership that comprises all retail formats and 
channels of distribution including department, specialty, discount, catalog, internet, 
independent stores, chain restaurants, drug stores, and grocery stores as well as the 
industry’s key trading partners of retail goods and services. NRF represents an in- 
dustry with more than 1.6 million U.S. retail establishments, more than 24 million 
employees — about one in five American workers — and 2008 sales of $4.6 trillion. As 
the industry umbrella group, NRF also represents more than 100 State, national, 
and international retail associations. 

I have been with NRF for almost 7 years and have spent my entire career in re- 
tail information technology. Prior to joining NRF I was a business unit CIO for The 
Limited and most recently CIO for international retailer, Duty Free Americas. Dur- 
ing that time I became familiar with the broad array of issues confronting retail 
CIOs, including matters related to data security. Both in my prior positions, as well 
as during my time at NRF I have helped design and upgrade the systems that pro- 
tect my companies’ core records. 

Currently, I also work with the NRF’s CIO Council. The Council is made up of 
more than 50 well-known retailers who meet regularly to study, share, and discuss 
best practices and challenges inherent in ever more sophisticated retail technology 
programs. As a result of that work I have become familiar with many of the issues 
involved with the Payment Card Industry Data Security Standards. 

Credit card security is not, however, a new issue for retail. For years many retail- 
ers managed their own in-house credit programs. Companies such as Sears and 
JCPenney offered proprietary retail credit through cards issued in all 50 States. 
They were known as proprietary programs because for most of their history, the 
cards were owned by the retailer and used exclusively for the purchase of a retail- 
er’s merchandise. Beyond credit programs, many companies maintain information 
about their most valuable customers, often gleaned through loyalty programs. Those 
programs are used to encourage our customers to shop and to serve them better 
when they do. All of this information was valuable and proprietary. 

For this reason retailers developed programs to secure their data. Each retailer’s 
program was commensurate with the sensitivity of the data it sought to keep. Cer- 
tainly, as to their cards, for example, no retailer wanted its credit card programs 
to be appropriated by thieves. Therefore, we retailers developed systems designed 
to minimize losses to us and inconvenience to our customers. 

There have been two big developments in the last dozen or so years that have 
scrambled the playing field. The first has been the rapid proliferation of what are 
known in the industry as third-party, general purpose credit cards. Visa and 
MasterCard are two examples. These cards are not issued by retailers, but rather 
are issued by independent banks under a particular card brand’s name. Thus you 
might have a Citibank MasterCard or a Chase Visa or a Citibank Visa. Consistent 
with their internal standards, the banks issue the cards as broadly as possible, in 
hopes that each card will generate income for the bank. 

The other big change has been increasing computerization and the related growth 
of the internet. As you all know computers are now ubiquitous. And many of our 
governmental, commercial, and personal activities are greatly dependent upon ac- 
cess to the Web. Unfortunately, the same processes that give us access also are 
available to the unscrupulous. Scams that would have been difficult to accomplish, 
or been limited in scope if they were attempted on a face-to-face, individual-by-indi- 
vidual basis, such as eliciting banking account information from individuals, can be 
much more efficiently accomplished on-line by “phishing,” for example, among those 
who engage in banking from their home computers. 

In a brick-and-mortar environment, retailers accept a variety of forms of payment: 
Cash, checks, credit cards, gift certificates, and other script. Retailers accepted cred- 
it cards for payment, in part, because they had been assured by the card companies 
that if the merchant followed a limited number of steps (e.g., confirming the card’s 
presence; checking the signature; obtaining an approval; and keeping a copy of the 
completed charge media) they would be given a guarantee of payment. Whether it 
be by cash, check, or otherwise, the payment mechanism is really just a means of 
accomplishing business. Most retailers are not in the payment acceptance business 
any more than their customers are in the payment delivery business. The form of 
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payment simply facilitates the underlying business to be done. (The consumer is 
searching for something to wear; the merchant is seeking to find and display attrac- 
tive merchandise that customers desire wearing.) 

A few years back, outside of the brick-and-mortar environment, in the then newly 
developing world of internet shopping, it soon became apparent to the credit card 
companies that they should take additional steps to minimize losses from the use 
of their card products for on-line purchases. Through a combination of rules and 
new security requirements the card companies were largely able to achieve that 
goal. They adopted special security requirements for on-line merchants (Visa’s pro- 
gram was called CISP: Customer Information Security Program). They also declared 
that the then-growing number of internet merchants who accepted a credit card for 
payment on-line would be 100% liable for any losses if charges were challenged, ei- 
ther by the cardholder or by the bank. As a practical matter, for on-line merchants, 
there was little or no payment guarantee. 

Over time, however, the card companies realized that the number of fraudulent 
purchases was continuing to rise. And this was true not just on-line. Thieves and 
others learned that if they could obtain the data on the credit card companies’ cards, 
they could accomplish a few fake transactions (on-line) or even create fake cards and 
accomplish many fraudulent transactions in a wide variety of brick-and-mortar loca- 
tions. 

The growth of computerization facilitated these breaches. Globally, there have 
been numerous instances of hackers accessing computer systems, stealing credit 
card information, and using this data to commit fraud. It has been reported that 
many of these hackers are operating out of Eastern Europe and some of the former 
Soviet states. In several cases they have targeted retailers’ computer systems that 
process or store credit card data. But the thieves are really looking for the data any- 
where they can find it. 

As with the growth of on-line shopping fraud, these developments presented the 
card industry with a challenge. In response, they introduced what they call the Pay- 
ment Card Industry Data Security Standards, commonly called PCI. Since its incep- 
tion, PCI has been plagued by poor execution by Visa, MasterCard and the other 
credit card overseers of the program. The PCI guidelines are onerous, confusing, and 
are constantly changing. Many retailers say that basic compliance is like trying to 
hit a rapidly moving target. 

As I mentioned, retailers take data security very seriously. Indeed, merchants, 
banks, the major card brands and the vendor community that supplies our industry 
with hardware and software all want to reduce the incidence of credit card fraud. 
PCI is an attempt to prevent large stockpiles of credit card data from getting into 
the wrong hands. But the premise of PCI, that hundreds of thousands or even mil- 
lions of merchants will systematically keep pace with the ever-evolving sophistica- 
tion of professional hackers, is unrealistic. 

PCI is little more than an elaborate patch. While PCI can reduce some fraud, at 
extraordinary cost, it is not nearly as effective as a redesign of the card processes 
themselves. Since its inception, our industry has spent billions on compliance pro- 
grams and related data security systems. PCI protocols have required many mer- 
chants to scrap good, existing data security programs and replace them with dif- 
ferent security programs that meet PCI rules but aren’t necessarily any better. Re- 
tailers have been required to take extraordinary steps to ensure that somewhere, 
somehow, data is not inadvertently being retained by software. However, what is 
ironic in this scenario is that the credit card companies’ rules require merchants to 
store, for extended periods, credit card data that many retailers do not want to 
keep. 

To many NRF members, it appears that the credit card companies are less inter- 
ested in substantially improving their product and procedures than they are with 
reallocating their fraud costs. In our view, if you peel off all the layers around PCI 
Data Security Standards, you will see it for what it is — in significant part, a tool 
to shift risk off the banks’ and credit card companies’ balance sheets and place it 
on others. It is their payment card system and retailers — like consumers — are just 
users of their system. 

As I mentioned, all of us — merchants, banks, credit card companies, and our cus- 
tomers — want to eliminate credit card fraud. But if the goal is to make credit card 
data less vulnerable, the ultimate solution is to stop requiring merchants to store 
card data in the first place. 

For example, rather than requiring that merchants keep reams of data — currently 
required under card company rules in order to satisfy card company retrieval re- 
quests — credit card companies and their banks should provide merchants with the 
option of keeping nothing more than the authorization code provided at the time of 
sale and a truncated receipt. The authorization code would provide proof that a 
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valid transaction had taken place and been approved by the credit card company, 
and the signed sales receipt would provide validation for returns or poof of pur- 
chase. Neither would contain the full account number, and would therefore be of no 
value to a potential thief. Any inquiries about a credit transaction would be between 
the cardholder and the card-issuing bank. 

If all merchants took advantage of this option, credit card companies and their 
member banks would be the only ones with large caches of data on hand, and could 
keep and protect their card numbers in whatever manner they wished. The bottom 
line is that it makes more sense for credit card companies to protect their data from 
thieves by keeping it in a relatively few secure locations than to expect millions of 
merchants scattered across the Nation to lock up their data for them. 

In fact, we proposed such changes to the PCI Security Standards Council in 2007. 
The card industry dismissed our proposal without addressing its merits but have 
yet to offer a viable alternative. 

Once the payment system itself becomes a burden, commerce inevitably suffers. 
The NRF, with direction from our CIO Council, has engaged the PCI Security 
Standards Council directly and highlighted flaws with the existing “standard” and 
“governance” of the PCI Security Standards Council. There have been numerous 
suggestions made over the years that would significantly reduce the chances of 
major data breaches, but none have been adopted. 

In conclusion, we believe any of our suggestions would be more effective and effi- 
cient approaches to protecting credit card data and preventing a continuation of the 
data breaches that have been seen in recent years. 

Thank you for the opportunity to appear before the committee today, I would be 
happy to answer any questions. 

Ms. Clarke. I thank the witnesses for their testimony. 

I will remind each Member that he or she will have 5 minutes 
to question the panel. I will now recognize myself for questions. 

My first question goes to both Mr. Russo and Mr. Majka. Since 
the PCI standards have become mandatory, there has been no 
shortage of massive data breaches. Is there any hard evidence to 
suggest that the standards have reduced the number of data 
breaches or the amount of credit card fraud? What metrics are in 
place to judge the effectiveness of these standards? 

Mr. Russo. Chairwoman Clarke, let me answer first. 

The council’s purview does not include keeping statistics on 
breaches, on who is compliant, as we do not have that relationship 
with the merchants. I can tell you, as I stated earlier, that based 
on what we have seen in forensics and what we have seen our in- 
formation has given us by reaching out to these breached entities, 
that they were, in fact, not compliant at the time of the breach. 
Very similar to Ms. Glavin, who mentioned locking your doors, you 
don’t lock your doors on Monday, Wednesday, and Friday and not 
on Tuesday, Thursday, Saturday, and Sunday. So it is constant vig- 
ilance that must be there when it comes to protecting this data. It 
is everyone’s responsibility, including the merchant, including the 
consumer, to be looking after their own data. 

Mr. Majka. Madam Chairwoman, I would like to say that entry 
into these data systems, while the criminal is very complex, we 
found that the entry methods have been very simple, and they 
would have been addressed by the PCI data security standard in 
all cases. Even those entities where they have had validated com- 
pliance, our review of those incidents found that either they hadn’t 
maintained compliance, and there were significant gaps that al- 
lowed the breach to occur. 

I would also like to say that the standard itself has been im- 
proved over the years. One of the success stories of the standard 
is the removal of prohibitive data from merchants’ servers. This 
has led to incidents where we no longer have a breached entity who 
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has been storing data for 3, 4, or 5 years that the criminals can 
access 5 years’ worth of data. So those are things that the standard 
itself has addressed and has helped. 

I would also like to say that I think that we don’t know how 
many breaches have been prevented by those entities that have, in 
fact, gone as far as implementing and maintaining the standard 
properly. 

Ms. Clarke. I think that is really at the core of the issue here 
is that we can’t get some tangible evidence of how effective this is 
in actually eliminating the breaches. It is clear that if people aren’t 
following the protocols, that opens them up in terms of more vul- 
nerability. But it would seem to me that as a part of the build-out 
of the floor of the PCI standards, that we would develop some sort 
of metric that gives us an ability to objectively judge the effective- 
ness of these standards. Are you saying that those don’t exist right 
now? 

Mr. RUSSO. No, Madam Chairwoman. They do exist in various 
entities, those entities being the acquiring banks, as an example, 
which own the relationships with the merchants. They require PCI 
compliance, they track PCI compliance, they have those numbers. 
Again, the council does not have any input into that or any view 
into that because we do not have the relationships with the mer- 
chants. The banks, the acquirers have the relationship with the 
merchants. But there are tens of thousands, hundreds of thousands 
that are going through programs every day and validating their 
compliance on a regular basis. 

Ms. Clarke. Mr. Russo, do you have a relationship with the 
banks? 

Mr. Russo. The council does not have a relationship with the 
banks other than to put its standard out there and make sure that 
they are creating awareness among their constituents that they 
need to be compliant with the standard. 

Ms. Clarke. Thank you. 

The next question then is both to you, Mr. Russo, and Mr. 
Majka. The PCI standards include requirements for encrypting 
data at rest and data that travels over the internet. But the Heart- 
land breach, for instance, involved data in transit between termi- 
nals and hosts on nonpublic networks. 

As Mr. Jones notes in his testimony, there are no PCI standards 
for this. Is this a fundamental weakness in the standards? Why 
doesn’t PCI require end-to-end encryption, including internal 
encryption? How are you going to address this? 

Mr. Russo. There are provisions within the standard now that 
address this data and address the inside network that should, in 
fact, either stop this from happening, or at least give you a warn- 
ing that something is happening so that you can immediately stop 
it and cut the breach off. We do go out to, as I mentioned, all of 
our participating organizations — one of whom is sitting at the table 
with me today, the NRF — and we do ask them for their feedback 
on the standard and what needs to be done. 

One of the things that we are in the process of doing right now 
is that we have issued a proposal to a number of technology compa- 
nies to give us an independent study on what we are calling emerg- 
ing technologies, one of which is end-to-end encryption, another of 
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which is tokenization, another of which is chip and PIN. So we are 
looking at these technologies and how they make the standard 
more robust. But it is important to the say that there really is no 
silver bullet here. 

Ms. Clarke. I am a bit over my time, but I would like to get Mr. 
Jones’ and Mr. Hogan’s response to this end-to-end encryption di- 
lemma. 

Mr. Jones. First, I think on encrypted, I am not sure I would call 
it an emerging technology; it has been around for some time. Obvi- 
ously, since it is a requirement for anything traveling outside the 
private network, I think that not having it as part of something 
that travels on your internal network was something originally to 
reduce some of the costs involved with implementing the stand- 
ards, because it costs money to implement encryption end-to-end, 
and that would have involved a lot of cost to merchant banks all 
across the country, as well as retailers. Every retailer would have 
had to implement encryption on their side. But we have already 
had to do it from — and most retailers do transact across the inter- 
net in one way or another, so we have had to do that. 

So I would separate that out from a chip and PIN discussion as 
far as what we should be looking at going forward. As far as 
whether it should be in the standard or not, I feel that it should 
have been in the standard long ago as part of something simply be- 
cause there are things that may have caught the Heartland Pay- 
ment thing. But when we talk about very sophisticated thieves, the 
Heartland Payment software that was used was so sophisticated 
that it was virtually impossible for highly technical, highly sophis- 
ticated people to pick up. Most of the existing scanning tech- 
nologies would not have even picked it up, but had it been 
encrypted, it wouldn’t have mattered. I think that is the way of 
looking. So why not lock your front door? Why leave it open? 

Ms. Clarke. Mr. Hogan, do you concur? 

Mr. Hogan. Yes, I do concur. I think it is very interesting that 
the merchants, universities, doctors’ offices, anybody who accepts 
credit cards and processes credit card data has to go through ex- 
traordinary hoops to adhere to a PCI standard; however, when it 
is convenient, the information is sent open in the free and clear, 
when it is transmitted to the banks, so on and so forth. 

So I think you have a double standard going on here where in 
one case you have to adhere to a standard, and spend a lot of time, 
effort, and money to do it, and then all of a sudden you send it 
back out wide open that anybody could potentially read 
unencrypted downstream. 

Ms. Clarke. Thank you. My time is expired. 

Let me now acknowledge the gentleman from New Mexico, Mr. 
Lujan. 

Mr. Lujan. Thank you, Madam Chairwoman. I know we have 
some votes we have to get to, if I am not mistaken, so I will try 
to keep this brief. 

Mr. Russo, what recommendations of standards have been made 
that have not been implemented by those that follow your stand- 
ards? 

Mr. Russo. Congressman, we have a feedback process in place, 
which Chairwoman Clarke mentioned a little earlier — actually, I 
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am a little perplexed because Mr. Hogan earlier said that this is 
constantly changing, yet Chairwoman Clarke indicated it was a 2- 
year process that we go through. We go through two feedback peri- 
ods where we get feedback from all of those participating organiza- 
tions, again, one of which is the NRF, and we then discuss all of 
this information at two community meetings that we have on a 
yearly basis, one in North America and one in Europe. That infor- 
mation is then taken back from what we are getting again at that 
community meeting and gone through another feedback period be- 
fore a new standard is released. 

I might also mention that the difference between the initial 
standard that we came out with in 2006 and the 1.2 version, which 
we came out with in October, was not that different. There were 
clarifications, there were documentation changes, more guidance 
information was put in to make it easier to understand the intent 
and, in fact, comply with it. These were all recommendations from 
these participating organizations, from our board of advisors. There 
are things that we put out on a regular basis based on their input. 
We do not create this standard in a vacuum. This is something that 
the entire group of participating organizations and the assessment 
community and our board of advisors advise us on. 

Mr. Lujan. Let me narrow the question a little bit. 

Mr. Russo, there was some discussion about end-to-end 
encryption for its databases. Isn’t that a recommendation that was 
made by the Heartland Payment Systems CEO? 

Mr. Russo. After the breach it absolutely was, after the breach. 
We agree that encryption is a good thing — again, not a silver bul- 
let. Encryption is a good thing. As the gentleman from Michaels 
mentioned, encryption is an expensive proposition. If we make this 
mandatory in the standard, there will be a number of merchants 
who will not be able to afford this immediately. There are provi- 
sions within the standard that actually affect what happens there. 
So the need for end-to-end encryption within the internal network 
is really not there. If you are following the standard religiously, the 
need is not there. Why put these people through the expense? 

That being said, we are now investigating it from an independent 
third party, and we will present that information in the form of 
feedback to our entire community and get their feeling on whether 
or not they actually want this to be part of the standard. 

Mr. Lujan. Mr. Russo, you said something earlier that I found 
interesting, that you have never found PCI not to be in compliance 
at a time of breach, meaning that at a time of breach, there may 
have been some break in compliance. But with the system that we 
have today, who is responsible for monitoring compliance? 

Mr. Russo. The merchant himself. Basically what we do is we 
take a snapshot — let me give you a brief example, if I have a 
minute or so. If you need fire insurance on your house, and you 
come to me and ask me as the insurance company to give you fire 
insurance, I send an inspector out, and you have everything in 
place — smoke detectors that work, fire extinguishers, sprinklers, 
and such. Three months later, your house burns down. I send an 
inspector out again, only to find out that there was no pressure on 
the sprinklers at that time, all of the batteries weren’t working in 
your smoke detectors, and so on. This is the responsibility not only 
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of the council to make sure that you are compliant, but it is your 
responsibility as a merchant, your responsibility to the consumers 
to make sure that you are doing this on a regular basis. 

Mr. Lujan. Mr. Russo, if I could interrupt, I think that that ex- 
ample is a perfect illustration, because I would ask that the regu- 
lator that was responsible for monitoring the fire suppressant sys- 
tem, if you come back after there was a fire, and you found out that 
my fire suppressant system wasn’t adequate to be able to protect 
my home or my place of business, then the regulator wasn’t doing 
their job. But in this case, there is no one overseeing this. It is, 
here is a set of rules; if you want to be able to utilize our product, 
please follow them. In the case if there is a breach, we depend on 
the Department of Justice to step in, often times informing a group 
of people that maybe there was a breach. 

Madam Chairwoman, I know that my time is expired, but this 
is really interesting to see, when we talk about a set of standards, 
to truly see how we can work together to look to see where the 
weak points are. But also from a compliance perspective, I know 
that there aren’t compliance efforts moving forward to truly work 
with the retailers if it is their responsibility to be held in compli- 
ance. But it seems to me that the system that we have today, I 
think we all agree, from different sides, that it is not working. 

Ms. Clarke. Thank you very much for your observations, Mr. 
Lujan. Thank you for your responses. 

We are in the process of votes right now, but I would like to get 
in one final question for this panel, and this question is for the en- 
tire panel actually. 

A large part of the data theft problem is the amount of valuable 
data stored in the system. Mr. Hogan and Mr. Jones testified that 
the credit card companies are actually requiring merchants to keep 
more data than they would otherwise prefer. Can the panel please 
explain what requirements exist for merchants to store credit card 
data in their systems, and why did the credit card companies dis- 
miss the suggestion from NRF that these requirements be 
changed? 

Mr. Majka. Madam Chairwoman, if I may start by answering 
that question. Visa does not require merchants to retain card hold- 
er data. We embarked on a campaign about 3 years ago to educate 
merchants on what data they absolutely need to maintain, and the 
campaign was called Drop the Data. In those cases, they are not 
required to retain the account number. 

We have found that some merchants do, in fact, retain the ac- 
count number, customer name, maybe the expiration date, and in 
those cases, should a merchant choose to maintain that data, they 
do have to secure it properly. But all merchants have the ability 
to work with their acquiring merchant bank to not store that data, 
and use whether it is an authorization code or transaction ID as 
a reference number to then research a transaction that may be in 
question. So from a Visa perspective, we do not require storage of 
that data. 

Ms. Clarke. Mr. Hogan. 

Mr. Hogan. That statement is quite interesting, because we hear 
from numerous, numerous merchants, restaurants, hotels that if 
they don’t keep some credit card data for a period of time to handle 
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the retrieval or chargeback request process, they will be fined and 
penalized. So I would love to have somebody go on record here from 
Visa or so on and so forth that would basically make a statement 
that, again, retailers and merchants do not need to store any credit 
card data at all, just keep an authorization code, and they will not 
be penalized at all in context of the chargeback or retrieval request 
process. Maybe that could be a question you could pose back. 

Ms. Clarke. I find this discrepancy to be very troubling, very 
troubling. 

Mr. Jones. 

Mr. Jones. I think we have to look at two entities, too. As the 
question was being answered, there was Visa does not require. 
Then the second part was, we recommend they work with their ac- 
quiring merchant bank to understand what data they need to keep 
or don’t need to keep. 

Visa is not the person that we work with on a day-to-day basis. 
We work with our merchant bank. If your merchant bank cannot 
provide you back the information for you to look up among your 
thousands, tens of thousands, hundreds of thousands, or millions 
of transactions which we deal with on a basis to pull that trans- 
action — and we have to physically pull a receipt again; we go from 
the point of we get a piece of paper with a card number on it, and 
we have to get to a point where we pull a receipt within a certain 
time period, otherwise we lose that transaction. So it is not a re- 
quirement. We could not do that. We could say that is a cost of 
doing business. By doing that, then, we would just automatically 
lose those dollars. 

My brethren in places like Best Buy or Big Ticket, it would cost 
them a fortune. Places like Marriott, or a hotel or a car reservation 
where you hold a reservation with a credit card number, or they 
put a $400 charge on your credit card where it is being held but 
not charged yet, they do have to keep that; otherwise they have no 
way to charge you after. 

So I think we are dealing with which organization is requiring 
versus PCI doesn’t require you, they are not a credit card organiza- 
tion. Visa just transports it; the merchant bank is something else. 
The retailer is left holding the bag and has no input or say, but 
yet is paying the transaction fee, is the one who pays for the trans- 
action when the customer says that they are not responsible for it 
and has no say in it. 

There is a solution out there, but there has been no interaction, 
there has been no partnership to really develop that solution, I 
think. 

Ms. Clarke. Well, let me just close by saying that this is some- 
thing that we have to fix. Mr. Majka, I look forward to speaking 
with you further about this. 

To all of you, thank you very much for your testimony today. 
This has been very interesting, very enlightening. I think we have 
got a lot of work to do, as I said in my opening statement. Cer- 
tainly I think some things have come to light here today that 
should concern all of us and that we should be working together 
as a team to make sure that we address. 

I thank the witnesses for their valuable testimony and the Mem- 
bers for their questions. The Members of the subcommittee may 
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have additional questions for the witnesses, and we will ask you to 
respond expeditiously in writing to those questions. 

Hearing no further business, the subcommittee stands adjourned. 
[Whereupon, at 3:15 p.m., the subcommittee was adjourned.] 



APPENDIX 


Questions From Chairwoman Yvette D. Clarke of New York for Rita M. 

Glavin, Acting Assistant Attorney General, Criminal Division, Department 

of Justice 

Question 1. How do you prosecute criminals in cyberspace when it is virtually im- 
possible to identify and attribute attacks to specific individuals? 

Answer. Response was not received at the time of publication. 

Question 2. What attraction does card fraud have for criminals and terrorists? 

Answer. Response was not received at the time of publication. 

Question 3. Would you say that card fraud is the financing method of choice for 
terrorists? 

Answer. Response was not received at the time of publication. 

Question 4. How many people and man-hours are devoted to investigations and 
prosecutions related to card fraud, including both data breaches and the criminal 
activity card fraud underwrites? 

Answer. Response was not received at the time of publication. 

Question 5. You testified that by disabling Shadow Crew’s Web site, the Depart- 
ment of Justice believed they “prevented hundreds of millions of dollars in addi- 
tional losses to the credit card industry.” Is it the Department’s understanding that 
the fraudulent charges that are the result of a data breach are a financial liability 
to the card brands, issuing banks, or acquiring banks? 

Answer. Response was not received at the time of publication. 

Questions From Chairwoman Yvette D. Clarke of New York for Robert 

Russo, Director, Payment Card Industry Data Security Standards Council 

Question 1. Why aren’t penetration tests required on a quarterly basis? Why don’t 
they conform to NIST standards? 

Answer. The PCI DSS requirement for penetration testing is not based exclusively 
on time intervals. Tests are also required after any significant changes to a data 
system environment that has been validated as compliant with the PCI DSS — as 
frequently as that may occur, which may be more frequently than quarterly. The 
Council’s information supplement regarding penetration tests is attached as Exhibit 
A.* This is in addition to the annual validation of static controls. It is also impor- 
tant to note that penetration tests are only a small part of the comprehensive set 
of controls and layers of security identified in the PCI DSS. 

Vulnerability assessments, which share many of the characteristics of penetration 
tests by identifying the same threats, are required, at a minimum, quarterly. Pene- 
tration tests are additive to, rather than substitutes for, the standards promulgated 
by the National Institute of Standards and Technology (NIST), which are also a crit- 
ical part of the process that our Approved Scanning Vendors (ASVs) utilize to iden- 
tify vulnerabilities in networks. Indeed, all ASVs rely on the NIST National Vulner- 
ability Database (http:l / nvd.nist.gov / '), a U.S. Government repository of standards- 
based vulnerability management data and each entity must receive a passing score 
quarterly to be considered compliant with the PCI DSS. 

Question 2. Given the prevalence of insider attacks (both physical and virtual), 
which have grown by 55% according to the intelligence community, why has two- 
factor authentication not been required of all users who access payment data within 
networks as well as all system administrators’ who have privileged rights? 

Answer. The PCI DSS requires two-factor authentication (Requirement 8.3) as a 
mechanism for external access (internet/remote) into cardholder data environments. 
The primary focus of PCI DSS Requirement 8.3 is to prevent unauthorized access 
from the outside, focusing on protecting from external intrusion, not internal access. 


* Attachments referred to have been retained in committee files. 
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For internal threats with respect to unauthorized authentication attempts, the 
PCI DSS provides a layered security approach that requires numerous other con- 
trols to minimize risks within the internal network. Two-factor authentication is one 
method for meeting this layered approach. Other approaches that address the inter- 
nal risk of user account takeover include prohibiting the use of risky protocols that 
expose user names and passwords (Telnet and FTP) and requiring passwords to be 
encrypted/hashed during transmission and storage within the internal network. 
There are also numerous user account management and password controls (Require- 
ment 8), along with logging and monitoring requirements (Requirement 10) that ad- 
dress internal controls to help mitigate internal risks including two-factor authen- 
tication. 

Question 3. How are Qualified Security Assessors trained? 

Answer. Because the quality of PCI DSS validation assessments can have a tre- 
mendous impact on the consistent and proper application of security measures and 
controls, the Council’s QSA qualification requirements are exacting and detailed, in- 
volving both the security companies themselves as well as the individual employees 
involved in assessments. 

In broad terms, prospective QSA companies must: 

• Apply for qualification in the program; 

• Provide documentation adhering to the Validation Requirements for Qualified 
Security Assessors v. 1.1, a copy of which is attached as Exhibit B;* 

• Qualify individual employees to perform the assessments, which requires an- 
nual training and testing of those employees, and; 

• Execute an agreement with the Council governing performance of validation as- 
sessments. 

In turn, each individual QSA employee who will be performing and/or managing 
on-site PCI DSS assessments: 

• Must attend annual PCI DSS training provided by the Council, which includes 
training in Scoping a PCI DSS Assessment, PCI DSS vl.2 Requirements, and 
Compensating Controls; 

• Must pass all examinations conducted as part of training; 

• Has access to face-to-face feedback sessions with the Council every 6 months; 

• Has access to the numerous fact sheets, information supplements, frequently 
asked questions, and webinars that the Council makes publicly available at its 
Web site at www.pcisecuritystandards.org / education. 

Our management of QSAs does not end with training. In 2008, the Council 
launched a Quality Assurance program to promote consistency of both services and 
results provided by the security assessment community. This program specifies 
eight guiding principles QSAs must commit to and outlines a number of criteria 
QSAs must adhere to in order to provide a more uniform experience for merchants 
and other customers. The criteria include evaluating QSAs based on consistency of 
the opinions rendered, competency of the professionals, credibility of the organiza- 
tions, and business ethics. To staff this program, the Council has also invested in 
a dedicated team responsible for assessor performance monitoring. 

Each assessor is required to use the template report associated with the PCI DSS 
(attached as Exhibit C*) as the framework for reporting validation to the standard. 
Each requirement contains one or more testing procedures that must be evaluated 
by the assessor and appropriately documented to demonstrate that the control has 
been tested by the QSA and is operating correctly. The quality assurance team re- 
views these reports to confirm that all testing procedures in the framework are com- 
pleted and documented, indicating consistency of practice in the assessor commu- 
nity. 

The Council’s quality assurance team evaluates trends among Report of Compli- 
ance documents in an effort to identify common inconsistencies and reports findings 
to the Council in order to consider and implement appropriate curative actions. Any 
such actions are communicated to the assessors via training, newsletters, and 
webinars. This information is also shared with the Council’s Technical Working 
Group for future consideration and possible adjustment of the PCI DSS. 

Question 4. Mr. Jones of Michaels Stores stated that “Many of the PCI require- 
ments are covered by the Sarbanes-Oxley audits.” Could you report to the committee 
on the redundancies between the Sarbanes-Oxley audits and the PCI Council’s own 
requirements? 

Answer. The Sarbanes-Oxley Act of 2002 (“Sarbanes-Oxley”) applies exclusively to 
publicly traded companies in the United States, addresses a host of concerns and 
is not primarily concerned with data security. Sarbanes-Oxley instead focuses pri- 
marily on addressing accounting standards and practices. The provisions of Sar- 


* Attachments referred to have been retained in committee files. 
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banes-Oxley are not intended, nor would they be adequate, to enable the market- 
place to achieve and maintain data security, particularly with respect to payment 
card data. The Council does not believe there is extensive overlap between Sar- 
banes-Oxley and PCI Standards. 

The PCI Standards are specifically designed to protect payment card data. They 
apply to both public and private companies of all sizes, both inside and outside the 
United States. Further, they are far more detailed and specific in the way they ad- 
dress data security issues: for example, the PCI DSS has over 225 requirements and 
525 testing criteria specific to data security. 

Given the specific nature of the PCI DSS and the absence of similar specific con- 
trols in Sarbanes-Oxley, we are unclear about precisely what redundancies Mr. 
Jones is referring to. 

Question 5. You testified that the PCI council does not develop or use metrics to 
evaluate the effectiveness of the council’s standards. How then does the council 
weigh proposals to the PCI standards if they cannot measure the costs and benefits 
of past and future additions to the standards? 

Answer. There are a number of readily available industry metrics that the Coun- 
cil uses to track the effectiveness of the standard. For example, the Nilson Report 
is a widely used industry publication with extensive metrics on payment card fraud 
and a wide range of other data security issues. 

Moreover, the payment card brands regularly receive and assess forensic informa- 
tion regarding the cause of payment card data breach incidents. This type of data 
provides critical information regarding where the PCI Standards may need to be 
strengthened or modified. This guidance is provided by the payment card brands as 
members of the Council’s technical working group. 

Proposed changes to the PCI Standards are shared with our Participating Organi- 
zations, which represent over 500 companies, all of which have first-hand experience 
in implementing standards and protecting payment card data on a daily basis. A 
formal feedback process enables the Council to receive robust feedback from this 
group. This feedback ensures additions and changes to the PCI Standards are 
weighed by those with a front-line perspective on what measures are most beneficial 
to protect payment card data. 

One example of how this broad industry feedback has directly resulted in changes 
to the PCI Standard is in the case of wireless security. In 2007, forensic investiga- 
tors indicated that insecure wireless implementations were at the core of a number 
of breaches. As a result of that, the Council started investigating wireless security 
with its stakeholder community — making it a key agenda item for discussion at our 
first Community Meeting. Feedback from that discussion led to changes in version 
1.2 of the PCI DSS. Finally, in order to help organizations meet the new require- 
ments, our stakeholders suggested creating a Wireless Special Interest Group — com- 
prised of representatives from dozens of our Participating Organizations — to exam- 
ine implementation issues. That group is expected to release an implementation 
guide on meeting the new wireless requirements in the coming weeks. 

It is broad participation such as this — coupled with the knowledge that the pay- 
ment brands bring to the table — that gives us confidence in our ability to measure 
the cost and benefits of future additions to the standard. 

Question 6. You stated in your testimony that “no standard is perfect. But the PCI 
security standards have proven to be the most effective means of preventing data 
breaches and protecting consumers.” Given that the Council has not developed or 
applied any metrics to measure the effectiveness of the PCI standards or to compare 
their resulting security to other payment technologies, how have the PCI security 
standards proven to be effective at all? 

Answer. Necessarily, evidence demonstrating that a particular standard is effec- 
tive in preventing a particular outcome must be inferential. However, it is note- 
worthy that with more than 10,000 payment card transactions per second worldwide 
(Source: American Bankers Association, March 2009) and the usage of payment 
cards steadily increasing, payment card fraud rates are at historic lows. The Council 
believes that the PCI Standards have been an integral driver of this trend, and in- 
dustry data supports that conclusion. 

Question 7. You stated that the council does not have a relationship with banks 
“other than to put the standard out there and make sure that they are creating 
awareness among their constituents.” Since it is the banks which, according to you, 
monitor compliance and the effectiveness of the standards, should not they be cen- 
tral to the drafting process? 

Answer. My statement pertained to lack of a direct contractual business relation- 
ship between the Council and the banks. It was not intended to suggest that banks 
are not intimately involved in data security standards. Any suggestion to the con- 
trary was inadvertent. 
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Banks are a pivotal part of our organization. Over 40 financial institutions world- 
wide — including such leading U.S. banks as Bank of America, Capitol One, and 
Wells Fargo — have joined the Council as Participating Organizations. These organi- 
zations receive draft copies of the PCI Standards for comment prior to publication 
and have the opportunity to contribute feedback during the drafting process. Finan- 
cial institutions also comprise nearly one-quarter of the Council’s elected Board of 
Advisors. 

Question 8. Merchants who have experienced data breaches also face significant 
class action lawsuits. What liability exists for the payment card industry and the 
assessors if a PCI-compliant company is breached? 

Answer. The PCI Standards do not assign liability to any party in the event there 
is a data breach. Any liability from a data breach would arise from agreements be- 
tween participants in a network and/or applicable law. 

Consistent with its role as a standards development organization, as discussed 
above, the Council does not impose any liability allocation requirements between as- 
sessors and merchants, nor does it have knowledge of the contractual terms entered 
into between individual payment card brands (who are competitors of each other) 
and their industry partners. Consequently, the Council does not have special insight 
into how any liability for payment card breaches is allocated. 

Question 9. In response to the committee, JCB said that they expect the PCI 
standards will continue to “become even more stringent in future iterations.” Is this 
also your expectation? What changes will the next iteration likely have? 

Answer. At this point in our standards lifecycle process, we are not in a position 
to predict what specific changes will be included in the next major iteration of the 
PCI Standards — our open comment period for the most recent release starts in July. 
This comment period is a pivotal part of a rigorous, end-to-end review undertaken 
within a 2-year lifecycle process that includes input and feedback periods for our 
Participating Organizations. Any changes introduced to meet new and evolving 
threats will be debated with all of our stakeholders before release. 

In order to address interim threats, as previously noted in my written testimony, 
the Council maintains on-going two-way communications with its assessors, mer- 
chants, and other stakeholders, and has the ability to issue errata to the PCI DSS, 
flash bulletins on emerging threats, monthly newsletters to the Assessor commu- 
nity, regular updates to the ASV test scanning environment, monthly webinars with 
both assessors and merchants, and updates to the Council’s on-line searchable FAQ 
and training materials. 

Question 10. Currently, requirements of notification of breaches vary from State 
to State. Given that the Department of Justice stressed the importance of notifica- 
tion, both of law enforcement and consumers, has or will the Council consider man- 
dating notification as part of its standards? How would or could that be enforced? 

Answer. As a standards body, the Council has no direct contractual power that 
would enable it to mandate or enforce such notification by retailers or processors 
when they suffer a breach. Although we do not have the power to require notifica- 
tion, each of our members feels strongly that notification of law enforcement and 
affected consumers is an important component in a security breach response plan. 

In fact, PCI DSS Requirement 12.9.1(b), which addresses Incident Response, re- 
quires entities to have a communication and contact strategy in the event of data 
compromise as well as an analysis of legal requirements for reporting compromises. 

Question 11. You stated in your testimony that “in fact, we have never found a 
breached entity to have been in full compliance with the PCI standards at the time 
of a breach.” Can you please explain the discrepancy between that statement and 
the statement of Ellen Richey, Chief Enterprise Risk Officer at Visa, Inc., that 
Heartland had validated PCI compliance “but it was a lack of ongoing compliance 
and ongoing vigilance in maintaining security that left them vulnerable to attack”. 
Can you please explain exactly how Heartland was not in full compliance with the 
PCI standards? 

Answer. These two statements are consistent. As noted in my written testimony, 
validation of compliance with the PCI DSS only represents a snapshot in time that 
coincides with information shared with and interpreted by a QSA during the assess- 
ment period. No entity that has custody of customer data can afford to gear up for 
an assessment, and then relax its vigilance thereafter. While assessment is a useful 
tool to uncover vulnerabilities, stakeholders across the payment chain must realize 
that data security, and not passing assessments, is the goal of an effective compli- 
ance program. The 2009 Data Breach Investigations Report from Verizon Business 
(attached as Exhibit D*) found that effective tracking and monitoring of network ac- 
cess was not in place at 95% of breached entities at the time of compromise. This 


* Attachments referred to have been retained in committee files. 
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provides a good example, because the tracking and monitoring requirement is a se- 
curity practice that requires on-going compliance to be effective. Its value is severely 
limited if it is in place only during validation of compliance to the PCI DSS. 

Unfortunately, the dynamic nature of any organization’s complex information 
technology systems and network environments, as well as turnover of human re- 
sources, can require the taking of a wide variety of actions that, absent appropriate 
steps to restore system integrity can render a validated system noncompliant quick- 
ly after a satisfactory compliance report has been issued. To use an analogy, effec- 
tive compliance should be viewed as equivalent to a full-length feature film where 
an organization must be “compliant” at each and every frame of that film. In con- 
trast, validation of compliance is determined by a QSA only in a single, specific 
frame of that film. 

Question 12. Mr. Majka of Visa stated in his testimony that “security must be a 
shared responsibility among all relative parties — law enforcement, payment compa- 
nies, regulatory agencies, retailers and others.” How is the financial risk and liabil- 
ity shared between these parties? 

Answer. The Council is not involved in the allocation of risk within a particular 
network. This question is better directed to participants in the respective networks, 
including the networks themselves. 

Question 13. Mr. Majka of Visa stated that “we must collectively apply multiple 
layers of security to protect the system. That includes measures applied at the card 
level such as card verification values.” It is the committee’s understanding that not 
all issuing banks are required to support CWs and not all transactions are required 
to include CWs. Can you explain how the Council develops and enforces standards 
for the card brands and issuing and acquiring banks? 

Answer. It is important to recall, as noted above, that the Council manages and 
develops — but does not enforce — the PCI Standards, nor does it enforce operational 
regulations imposed by the payment brands. Instead, it makes standards available 
to the market as tools to be used in order to protect the payment card data of any 
entity that stores, transmits, or processes payment card data. Members of the pay- 
ment chain then individually decide which industry partners must comply with the 
PCI Standards, define required compliance validation mechanisms, and manage any 
enforcement programs that may exist. 

Requirements that exist between individual card brands and their issuing and ac- 
quiring banks are not within the Council’s purview. 

Question 14. According to Mr. Jones’ testimony, PCI states that all credit card 
data must be encrypted, with the exception that it need not if the data travels over 
a private network. Nonetheless, Mr. Jones says in spite of that his company does 
not send this information over their own private network unencrypted. Surprisingly, 
he notes, “The credit card companies’ financial institutions, the very organizations 
that have created and are mandating this rigorous and highly complex standard, do 
not accept encrypted transactions. We must decrypt the credit card number at our 
corporate headquarters prior to sending to the merchant bank for approval!” And 
Mr. Jones’ company has to re-encrypt this data when it is sent back to its stores. 
As a result of his company’s strong objection to this policy, it has asked for the past 
3 years for the ability to send encrypted information to the banks but nothing has 
happened. One reason given is that it is too expensive to implement. Mr. Jones has 
been told if the retailers “are willing to pay the costs (i.e., the credit card banks’ 
cost) to implement it, we will consider it.” 

How important is the cost to the credit card banks in your analysis? 

Answer. Cost to all stakeholders, including merchants is one of many factors that 
are taken into account in considering changes to the PCI Standards. Effective data 
security must be affordable to the millions of participants in the payment chain that 
must invest in it or they cannot be expected to act quickly and effectively enough 
to meet on-going threats. Any effective security stance must therefore realistically 
take cost into account. For example, our Participating Organizations, and particu- 
larly our merchant Participating Organizations, have told us that internal 
encryption would be extremely — even prohibitively — expensive, and have urged us 
to pursue more affordable, alternative ways to make further security advances in 
this area. 

Question 15. Can you explain your process for evaluating Mr. Jones’ 3-year effort 
to be able to encrypt information to the banks? Also, who has opposed this sugges- 
tion? 

Answer. Until our introduction at the hearing, Michaels Stores, Inc. (“Michaels”) 
had not presented its opinions regarding this issue to the Council. Moreover, Mi- 
chaels is not a Participating Organization and so to date has not attended any of 
our community meetings or feedback sessions in the almost 3 years since the Coun- 
cil’s inception. The Council had therefore not had any prior opportunity to evaluate 
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the Michaels suggestion, nor is it aware of who may or may not be supportive of 
this suggestion. The Council would welcome Michaels as a Participating Organiza- 
tion so that its views could be heard and debated among our stakeholder commu- 
nity. 

Question 16. A large part of the data theft problem is the amount of valuable data 
stored in the system. What requirements exist for merchants to store credit card 
data in their systems? Please explain how the chargeback/retrieval process affects 
what kinds of data can or should be stored on a merchant’s system. 

Answer. The Council is not involved in the assessment of the chargeback and re- 
trieval process. Those processes are dictated by participants in the payment network 
and those participants are therefore in a better position to respond to the question, 
and speak to the necessity of various kinds of data in connection with the 
chargeback/retrieval process. 

To more broadly answer the question of what data merchants are required or per- 
mitted to retain, the fundamental premise of PCI DSS is “if you don’t need it, don’t 
store it.” That is why requirement 3.1 of the PCI Data Security Standard stipulates 
that organizations should only retain data that is required for business, legal and/ 
or regulatory purposes. In other words, the PCI DSS does not itself mandate that 
merchants retain any specific kind of data. To the extent card data must be stored 
for legitimate purpose, it must be stored in a secure manner. 

Question 17. Why do card brands require merchants to retain cardholder data for 
the purpose of chargebacks? Since this is such vulnerability for merchants and card- 
holders, why not mandate that no cardholder data be retained and provide trans- 
action IDs for the purpose of chargebacks? 

Answer. As noted above, the Council is not involved in the chargeback process. 

Question 18. Why does the PCI Council not mandate PINs for credit card trans- 
actions? 

Answer. What data is presented in a transaction is part of the authorization for- 
mat used by the payment systems. Since the Council is a security standards body, 
we are focused on providing standards to secure payment data within the current 
payment system. The Council has nothing to do witb authorization format require- 
ments or the authentication of a transaction at the point of sale. The Council does 
not run a payment network, nor do we have influence over vendors’ product plat- 
forms. 

If the system evolves to mandate PINs for all transactions, the Council will then 
address tbe issue of how to best provide the market with any necessary standards 
to secure this process. For example, the Council already maintains a comprehensive 
standard for PIN Entry Devices. This standard lists requirements that address 
physical and logical requirements for devices that process PIN transactions and 
would likely be an integral part of securing PINs if they were to be used more 
broadly in authentication. 

Question 19. The basic design and security model of credit cards has not changed 
since the 1950s. What major investments would be required for a large scale migra- 
tion to a different payment technology? Who would make those investments? For ex- 
ample, if we were move to a chip and PIN system? 

Answer. The design and security model of payment cards has changed extensively 
since the 1950s. Advances have included advanced hologram technologies, on-line 
authorizations, Card Verification Codes, 3-D Secure, address verification, real-time 
heuristic fraud detection solutions, on-line PIN and off-line chip & PIN. This is just 
a sample. 

However, any migration decisions are driven by the underlying value proposition, 
which may differ from market to market and vary by payment brand. The Council 
in its role as a standards body does not have insight into these elements. 

Question 20. Your responses to the committee concerning adopting technological 
changes to the PCI standards, such as the end-to-end encryption embraced by other 
witnesses, seems to be: (1) We have addressed this issue [“there are provisions with- 
in the standard now that address this data, address the inside network that should, 
in fact, . . . stop this from happening ...”]; or (2) it’s unnecessary to address 
this issue [“so tbe need for end-to-end encryption within the internal network is 
really not there.”]; or (3) we are considering addressing this issue [“we have issued 
a proposal to a number of technology companies to give us an independent study 
on what we are calling emerging technologies, one of which is end-to-end 
encryption.”]. Given the skepticism toward Visa and the PCI Security Standards 
Council expressed by the other members of the panel, can you point to specific ac- 
tions you are taking that will reassure this committee that you are approaching the 
adoption of end-to-end encryption and other security-enhancing solutions with the 
degree of urgency and level of seriousness warranted by the current threat? 
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Answer. The introduction of any new technology — whether it is end-to-end 
encryption or other security enhancing solutions such as virtualization and 
tokenization — is a matter of utmost importance to the Council and is treated as a 
high priority. We are constantly evaluating the potential uses of new technologies 
to improve the security of payment card data. As noted in your question, we have 
issued a proposal to a number of technology companies to research and submit to 
us an independent study of emerging technologies, one of which is end-to-end 
encryption. As discussed further in the response to Question 21 below, we expect 
to commission that study in the coming weeks. The issuing of this technology study 
demonstrates the Council’s commitment to examining the relevance on an on-going 
basis of technologies such as encryption to the PCI Standards. 

It is important to note, however, that the message from our stakeholders regard- 
ing end-to-end encryption has been mixed. During the last feedback period in 2007, 
we received input from more than 350 organizations. It is noteworthy that not a sin- 
gle organization requested that end-to-end encryption be mandated or even exam- 
ined. Our Board of Advisors has similarly not requested an examination of end-to- 
end encryption. 

Question 21. What technology companies are providing these “independent” stud- 
ies of emerging technologies? Mr. Jones testified that end-to-end encryption is not 
an “emerging” technology. If that is correct, what do these companies need to study 
with regard to end-to-end encryption? 

Answer. The Council conducted an RFP process for selecting a vendor to assist 
in the technology study. We are currently in the negotiation process with the final- 
ist — one of the major public accounting firms. Our RFP asked vendors to examine 
the impact that emerging technologies — including end-to-end encryption as well as 
technologies such as virtualization and tokenization — might have on the PCI Stand- 
ards, and how broad adoption of these technologies might serve to simplify the proc- 
ess of securing payment card data. 

To Mr. Jones’ point, while encryption itself is not a new technology, no standard 
currently exists on how to apply end-to-end encryption in a comprehensive data se- 
curity framework. 

Question 22. Visa asserts that consumers bear zero legal liability for fraudulent 
use of credit cards. How is this policy financed? 

Answer. Council members understandably avoid discussing any matters that 
might in any way relate to the pricing and financing models of the individual pay- 
ment brands, and the Council accordingly does not address such areas. This ques- 
tion is best directed to Visa, but we do note, that U.S. Pub. Law 93-495 (commonly 
referred to as “Reg E”) protects a consumer against fraud in excess of $50. 

Again, I appreciate the opportunity to assist the committee in this matter, and 
support its goal of reducing the number and impact of data security breaches. The 
Council remains available to provide the committee with information to more fully 
understand and address cybersecurity concerns as they relate to the PCI DSS and 
other payment chain-related standards for which the Council has responsibility. 

Questions From Chairwoman Yvette D. Clarke of New York for W. Joseph 

Majka, Head of Fraud Control and Investigations, Global Enterprise Risk, 

Visa, Inc. 

Question 1. The PCI requirements are directed solely at merchants and retailers. 
Why shouldn’t there be a prescriptive security mandate for Visa or other payment 
card brands to secure your own networks? 

Answer. The PCI Data Security Standard (PCI DSS) applies to all entities that 
store, process, or transmit payment cardholder data, including financial institutions, 
processors, third party service providers, and merchants. Visa, Inc. has validated 
and maintained on-going PCI DSS compliance on an annual basis using an inde- 
pendent qualified security assessor (QSA) since the creation of the PCI DSS in 2006. 
In addition, Visa, Inc. adheres to more rigorous security measures to protect the 
overall Visa payment system. Visa is subject to oversight by U.S. regulatory bodies 
under the auspices of the Federal Financial Institution Examination Council 
(FFIEC) and undergoes regular reviews by the FFIEC. 

Question 2. Given the central role the card brands play in the American economy, 
what responsibilities do you believe they have to consumers and to the Nation? 

Answer. Securing consumer data within the U.S. economy is a shared responsi- 
bility, and every industry should deploy focused resources to protect consumer infor- 
mation within its care. In this regard, the payment card industry has done more 
than any other to provide stakeholders with the tools and guidance needed to prop- 
erly secure the data they are trusted to protect. Visa has led the industry in pro- 
tecting cardholder data and stands ready to continue to support industry partici- 
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pants in our collective fight against the criminals that perpetrate card fraud. 
Thanks to massive investments and innovative solutions, compromise events rarely 
result in actual fraud and fraud rates in the payments industry remain near all- 
time lows. 

Question 3. Is a breached company (whether compliant with the PCI Standards 
or not) subject to increases in interchange rates? 

Answer. Visa does not increase or modify the interchange rate structure that ap- 
plies to an entity that is breached. In fact, since October 1, 2007, to encourage and 
provide incentives for stronger protection against data breaches, acquiring financial 
institutions have been able to qualify transactions for lower interchange rates under 
the “tiered” interchange rate system by, among other best practices and volume re- 
quirements, ensuring that their merchant customers comply with the PCI DSS. 
Acquirers of merchants that have been compromised and are found not to have been 
in compliance with the PCI DSS may therefore lose the benefit of these incentive- 
based “tiered” interchange rates, until they demonstrate that they have come into 
compliance. 

Question 4. In responses to the committee’s investigation, you stated that “while 
there have been a few instances where an entity with previously validated PCI DSS 
compliance was the victim of a compromise, in all compromise cases our review con- 
cluded that gaps in the compromised entity’s PCI DSS controls were major contribu- 
tors to the breach.” What gaps are normally found in a victim’s security controls 
after they have been certified PCI compliant, but later found to be out of compli- 
ance? 

Answer. In all compromised cases within Visa’s purview, third-party investiga- 
tions concluded that gaps in the compromised entity’s PCI DSS controls were major 
contributors to the breach. Gaps commonly include failures to secure and monitor 
non-payment-related systems that are connected to the payment environment, 
which are then targeted to gain access to the network. Corporate Web sites are an 
example of non-payment-related systems commonly targeted by criminals through 
Structured Query Language (SQL) injection attacks. Another common gap is insuffi- 
cient monitoring of logs for firewalls, anti-virus, intrusion detection systems, as well 
as monitoring of privileged user accounts. The PCI DSS requires that not only 
should there be mechanisms in place to monitor for intrusions, but also that the or- 
ganization regularly monitors the logs generated to identify and investigate anoma- 
lous activity. 

Visa works with its acquiring financial institutions, through its compliance pro- 
grams to ensure merchants and their service providers achieve and maintain PCI 
DSS compliance. It is the responsibility of the acquiring financial institution, which 
deals directly with their merchants and their service providers, to ensure these enti- 
ties continue to eliminate unnecessary risk to the overall payment system. To deter- 
mine overall success of these measures, Visa actively requests frequent reporting 
from its acquiring financial institutions on the status of the PCI DSS compliance 
of their merchants and service providers. In support of these compliance programs, 
Visa has actively communicated, since 2006, common vulnerabilities and cor- 
responding mitigation measures that merchants and service providers mistakenly 
leave susceptible to attack on their systems. In addition, Visa provides other data 
security alerts, bulletins and webinars to payment system participants, all publicly 
available at www.visa.com / cisp. 

Validating PCI DSS is a major milestone, but achieving and maintaining compli- 
ance requires companies to make an on-going commitment to keeping all consumers’ 
data safe, including cardholder data — 24 hours a day, 7 days a week, 365 days a 
year. For any standard to be effective, however, organizations must rigorously en- 
sure that they comply with each of its requirements on an on-going basis. Verizon 
Business’ 2009 Data Breach Investigations Report affirms similar findings, “The 
majority of breaches still occur because basic controls were not in place or because 
those that were present were not consistently implemented across the organization.” 
Further, the report specifically attributes non-compliance to PCI DSS requirements 
as major factors contributing to breaches. Verizon cites PCI DSS Requirements 3 
(protect stored cardholder data), 6 (develop and maintain secure systems and appli- 
cations), and 10 (track and monitor access to network resources and cardholder 
data) as the least compliant across their caseload, saying, “This trio of deficiencies 
factored heavily into many of the largest breaches investigated by our team over the 
past five years.” 

Question 5. Mr. Russo of the PCI Council stated in his testimony that “in fact, 
we have never found a breached entity to have been in full compliance with the PCI 
standards at the time of a breach.” Can you please explain the discrepancy between 
that statement and the statement of Ellen Richey, Chief Enterprise Risk Officer at 
Visa, that Heartland had validated PCI compliance “but it was a lack of on-going 
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compliance and on-going vigilance in maintaining security that left them vulnerable 
to attack”. Can you please explain exactly how Heartland was not in full compliance 
with the PCI standards? 

Answer. In all compromise cases within Visa’s purview and as stated by Mr. 
Russo, despite any validation that may have been completed by a QSA, the breached 
entity was not found to have been in full compliance at the time of the breach. 
Based on compromise event findings, Visa removed Heartland from its list of PCI 
DSS compliant service providers. Information related to Heartland’s PCI DSS com- 
pliance status was provided to Visa under the obligations of a confidentiality agree- 
ment. As such, Visa suggests contacting Heartland directly for specifics. 

Question 6. You stated in your testimony that Visa looks forward to “working with 
all participants to continue to develop tools to minimize the risk and the impact of 
data-compromise events.” Does Visa understand the committee’s concern about a 
fraud prevention strategy that minimizes fraudulent charges only to the extent that 
card brands and issuing banks remain solvent when fraudulent charges finance 
criminal activities? 

Answer. Visa’s goal is to prevent both card data compromises and the subsequent 
potential for fraudulent transactions. Visa has been executing a multi-layered secu- 
rity strategy working with all payment system participants to prevent data com- 
promises around the world as well as the fraud that may result there from. Visa 
invests substantial resources and leads innovation in the industry with measures 
to stay ahead of criminals and prevent them from obtaining financing through the 
payment system. This includes, for card-based solutions (e.g., EMV-chip, 
contactless), data-based measures (e.g., PCI DSS), and network-based technologies 
(e.g., Advanced Authorization, neural networks, Address Verification Service). In ad- 
dition, participants in the Visa system should strictly adhere to the EFT Act and 
Reg. E, the Truth in Lending Act and Reg. Z, as well as numerous other Federal 
regulations that protect consumers from the consequences of data breaches and 
fraud. Additionally, Visa is currently working to empower cardholders to play a 
more active role in protecting their information through innovations such as trans- 
action alerts. Armed with this kind of information, cardholders can help monitor 
usage on their accounts and identify potential fraud. All of these measures are de- 
signed to prevent criminals from obtaining card data, and to prevent them from 
using it to commit fraud. 

Question 7. Merchants who have experienced data breaches also face significant 
class action lawsuits. What liability exists for the payment card industry and the 
assessors if a PCI-compliant company is breached? 

Answer. Parties that experience data breaches may be subject to the liabilities de- 
termined through the court system. Visa is aware of a number of class action law- 
suits related to major data breaches in the United States. However, Visa cannot 
speculate about facts and outcomes in potential or pending class action lawsuits. To 
our knowledge, no organization that has fully implemented and maintained compli- 
ance with the PCI DSS has been the victim of a data compromise event. These 
breaches damage consumer trust in the overall electronic payment system, including 
Visa and its brand. 

Question 8. In response to the committee, JCB said that they expect the PCI 
standards will continue to “become even more stringent in future iterations of the 
PCI standards.” Is this also your expectation? What changes will the next iteration 
likely have? 

Answer. The PCI SSC is charged with reviewing and updating the PCI DSS to 
ensure that it remains effective to protect card data, by incorporating input from 
stakeholders as well as technological developments in the evolution of the standard 
over time. Since its creation, the PCI DSS has been formally updated three times, 
with considerable input from over 500 participating organizations, including mer- 
chants, banks, and service providers from around the world, in order to meet the 
evolving threats to the system, changing technologies and the increased sophistica- 
tion of hackers. The updates introduced in version 1.1 and 1.2 of the PCI DSS have 
been relatively minor changes, most of which served as clarifications to help entities 
better understand the intent of a requirement. We expect the standard will continue 
to evolve to address new threats as they materialize and add further specificity 
where participating organizations, including many global merchants, provide feed- 
back. 

Question 9. Currently, requirements of notification of breaches vary from State to 
State. Given that the Department of Justice stressed the importance of notification, 
both of law enforcement and consumers, has or will the Council consider mandating 
notification as part of its standards? How would or could that be enforced? 

Answer. PCI DSS Requirement 12.9.1 addresses incident response and requires 
entities to have a communication and contact strategy in the event of data com- 
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promise. Additionally, in the event of a compromise Visa advises entities to follow 
all State and Federal disclosure requirements. Visa also works closely with the Fed- 
eral Bureau of Investigation’s Cyber Division, United States Secret Service, United 
States Postal Inspection Service, State attorneys general and the Department of 
Justice Cybercrime and Intellectual Properties Unit in criminal cases of data com- 
promises. 

Question 10. You stated that “security must be a shared responsibility among all 
relative parties — law enforcement, payment companies, regulatory agencies, retail- 
ers and others.” How is the financial risk and liability shared between these par- 
ties? 

Answer. Financial institutions have the direct responsibility and relationship with 
cardholders, and because of Federal law and Visa’s zero liability policy for card- 
holders, bear most of the financial loss if fraud occurs. Visa’s Account Data Com- 
promise Recovery program allows issuing financial institutions to receive reimburse- 
ment for counterfeit fraud losses and a portion of their operating expenses incurred 
as a result of data compromise events from the financial institution responsible for 
the compromised entity in the Visa system. 

Question 11. Mr. Jones of Michaels Stores stated in his testimony that “credit 
card companies’ financial institutions do not accept encrypted transaction.” The 
committee is concerned that the PCI Council is not applying the same standards 
to its members that it applies to merchants and processors. Is Visa planning to 
move forward with securing the communications channel between merchants and fi- 
nancial institutions? 

Answer. Visa accepts encrypted data transmissions from its processing endpoints 
and many processors also accept encrypted data transmissions for merchant trans- 
action submissions. Visa is also mandating use of stronger encryption for protection 
of PINs at every point of sale globally, specifying use of Triple Data Encryption 
Standard (TDES) for PIN accepting entities. While the PCI DSS requires encryption 
over public networks including the internet, it does not require the use of encryption 
over private networks, such as a merchant’s internal network or a private connec- 
tion between a merchant and processor. Encrypting cardholder data in-transit over 
private networks is encouraged. It should be noted, however, that while encryption 
can add an additional layer of security, the data is still at risk if transactions must 
be decrypted at any point within the private network — for example, for transaction 
processing — and must still be properly protected. As such, many organizations have 
determined that the costs and number of system and software modifications needed 
outweigh any incremental security benefit. The requirements outlined currently in 
the PCI DSS, when implemented properly, should effectively prevent a criminal 
from obtaining access to a business’ private network and detect any unauthorized 
access. 

Question 12. The basic design and security model of credit cards has not changed 
since the 1950s. What major investments would be required for a large-scale migra- 
tion to a different payment technology? Who would make those investments? For ex- 
ample, if we were move to a chip and PIN system? 

Answer. In the 50 years since the beginning of the card industry, Visa has evolved 
from credit card roots to become one of the world’s leading global retail electronic 
payments networks. Today, the Visa network connects cardholders, merchants, and 
financial institutions around the world with products and services that are designed 
to make payments faster, more convenient, more reliable, and more secure. At the 
heart of Visa’s business is VisaNet, our centralized processing platform and one of 
the world’s largest transaction and information processing networks. Nearly 92 bil- 
lion authorization, clearing, and settlement transactions were processed through 
VisaNet in calendar year 2008. On this platform, Visa has been able to build capa- 
bilities that provide secure, reliable, and scalable processing, including innovations 
such as Advanced Authorization to risk-score transactions in real time. Other exam- 
ples of technological improvements include the introduction of magnetic stripe tech- 
nology, CW2 (three-digit code on the back of a Visa card), address verification serv- 
ice and contactless cards with dynamic data technology. There have also been anti- 
counterfeit measures such as holograms, ultra-violet marks, and micro text, to name 
a few. Fraud rates today are at historic lows, much lower than they were decades 
ago when we did not fully benefit from the power of the Visa network to be able 
to analyze and authorize transactions in real time. 

Visa supports chip technologies around the world, including in the United States 
where we are beginning to see adoption in mobile and contactless payments. Chip 
technology — both contact and contactless — can add an important security layer, in- 
troducing dynamic data into transactions which can reduce the incidence of fraud. 
However, we recognize that there are different needs, threats, and infrastructures 
in different parts of the world, and there is no one-size-fits-all chip solution. In some 
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other countries around the world, the market has driven the adoption of chip tech- 
nology based on these factors. To the extent chip adoption can meet the needs of 
the payments industry in the United States, Visa is ready to support migration as 
it has in other markets. Where chip technology has been implemented broadly in 
a market, it should be noted that migration takes time. The costs have been shared 
by all parties — payment networks, financial institutions, and merchants. Generally, 
the card brands make investments in the network upgrades and consistent stand- 
ards and financial institutions and merchants typically bear the increased cost of 
card technology and the upgraded payment terminals. 

Question 13. A large part of the data theft problem is the amount of valuable data 
stored in the system. What requirements exist for merchants to store credit card 
data in their systems? Please explain how the chargeback/retrieval process affects 
what kinds of data can or should be stored on a merchant’s system. 

Answer. Visa does not require merchants to store complete card numbers. To the 
contrary, Visa encourages merchants to limit retention to truncated account num- 
bers and has executed a “drop the data” educational campaign in partnership with 
the U.S. Chamber of Commerce over the past 3 years to encourage merchants to 
reduce data storage (www.dropthedata.com). A merchant may work with their ac- 
quiring financial institution to implement the necessary chargeback processes that 
do not rely upon the merchant’s storage of the account number. For example, a 
signed point-of-sale terminal receipt with a truncated account number and the ac- 
companying authorization log is valid fulfillment and will remedy a fraud 
chargeback. As such, a merchant may mitigate their risk by storing only truncated 
account numbers. In many cases, merchants decide to store cardholder data for mar- 
keting, loyalty programs, or customer service purposes. In those instances, Visa re- 
quires that stored data is protected in accordance with the PCI DSS. 

Question 14. In responses to the committee, Discover stated that it is currently 
making changes to processes to provide merchants with the option of receiving 
masked data for disputes (like retrievals and chargebacks) as well as settlement re- 
ports. Is Visa doing something similar? Would this cut back on the amount of data 
stored that could be subject to breach? 

Answer. Visa does not require merchants to store complete card numbers. Visa 
continues to work with those financial institution clients that may be requesting 
card numbers for dispute resolution to eliminate this practice and adopt the use of 
truncated account numbers. While Visa strives to eliminate any practices that may 
lead to the storage of cardholder data, there are likely many other reasons mer- 
chants have made a business decision to store this data, including processing re- 
turns and loyalty programs. In addition to our efforts to limit retention of complete 
account numbers, Visa has made considerable strides toward eliminating the stor- 
age by merchants and processors of authorization data, which criminals covet to 
perpetrate fraud. This “prohibited” data includes full magnetic stripe data, the 
CVV2 or “Card Verification Value 2” and PIN. 

Question 15. Visa asserts that consumers bear zero legal liability for fraudulent 
use of credit cards. How is this policy financed? 

Answer. Visa card-issuing financial institutions are responsible for complying with 
Federal law and honoring Visa’s zero liability policy for cardholders and, as a result, 
bear most of the financial loss if fraud occurs. 

In closing, Visa is acutely focused on ensuring that payment products are not used 
to perpetrate criminal activity and has taken a leading role in promoting cardholder 
information security and innovation within the payments industry. I appreciate the 
opportunity to assist the committee in this matter. 

Questions From Chairwoman Yvette D. Clarke of New York for Michael 

Jones, Senior Vice President and Chief Information Officer, Michaels 

Stores, Inc. 

Question 1. How much does it cost you to comply with the PCI standards, and 
are they effective in keeping out intruders? 

Answer. Response was not received at the time of publication. 

Question 2. Are retailers bearing a disproportionate burden of costs in data secu- 
rity? 

Answer. Response was not received at the time of publication. 

Question 3. Do you agree that the effectiveness of data security standards is in- 
herently limited by the technology base of U.S. credit and signature debit card proc- 
essing networks? How could this technology base be improved, and what obstacles 
exist that would prevent this from happening? 

Answer. Response was not received at the time of publication. 
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Question 4. Have you ever notified the Council of assessors trying to sell their own 
products or services? 

Answer. Response was not received at the time of publication. 

Question 5. The basic design and security model of credit cards has not changed 
since the 1950s. What major investments would be required for a large-scale migra- 
tion to a different payment technology? Who would make those investments? For ex- 
ample, if we were move to a chip and PIN system? 

Answer. Response was not received at the time of publication. 

Question 6. A large part of the data theft problem is the amount of valuable data 
stored in the system. What requirements exist for merchants to store credit card 
data in their systems? Please explain how the chargeback/retrieval process affects 
what kinds of data can or should be stored on a merchant’s system. 

Answer. Response was not received at the time of publication. 

Question 7. Visa asserts that consumers bear zero legal liability for fraudulent use 
of credit cards. How is this policy financed? 

Answer. Response was not received at the time of publication. 

Questions From Chairwoman Yvette D. Clarke of New York for David 

Hogan, Senior Vice President, Retail Operations, and Chief Information 

Officer, National Retail Federation 

Question 1. Are retailers bearing a disproportionate burden of costs in data secu- 
rity? 

Answer. Response was not received at the time of publication. 

Question 2. Do you agree that the effectiveness of data security standards is in- 
herently limited by the technology base of U.S. credit and signature debit card proc- 
essing networks? How could this technology base be improved, and what obstacles 
exist that would prevent this from happening? 

Answer. Response was not received at the time of publication. 

Question 3. Have you ever notified the Council of assessors trying to sell their own 
products or services? 

Answer. Response was not received at the time of publication. 

Question 4. The basic design and security model of credit cards has not changed 
since the 1950s. What major investments would be required for a large-scale migra- 
tion to a different payment technology? Who would make those investments? For ex- 
ample, if we were move to a chip and PIN system? 

Answer. Response was not received at the time of publication. 

Question 5. A large part of the data theft problem is the amount of valuable data 
stored in the system. What requirements exist for merchants to store credit card 
data in their systems? Please explain how the chargeback/retrieval process affects 
what kinds of data can or should be stored on a merchant’s system. 

Answer. Response was not received at the time of publication. 

Question 6. Visa asserts that consumers bear zero legal liability for fraudulent use 
of credit cards. How is this policy financed? 

Answer. Response was not received at the time of publication. 
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